On Mon, 2015-02-16 at 13:25 +0000, Matt Caswell wrote: > That sounds like a bug. I can't think of a reason why this should > exclude DTLS.
This fixes it to work with DTLS1_BAD_VER too:
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index 3eaee1d..6e20a1f 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -396,7 +396,8 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const
unsigned char **pp,
os.data = NULL;
os.length = 0;
M_ASN1_D2I_get_x(ASN1_OCTET_STRING, osp, d2i_ASN1_OCTET_STRING);
- if ((ssl_version >> 8) >= SSL3_VERSION_MAJOR) {
+ if ((ssl_version >> 8) >= SSL3_VERSION_MAJOR ||
+ ssl_version == DTLS1_BAD_VER) {
if (os.length != 2) {
c.error = SSL_R_CIPHER_CODE_WRONG_LENGTH;
c.line = __LINE__;
> > So I'm going to need to fix *something* in OpenSSL HEAD to make this
> > work again. Should I do the minimal "fix" to make d2i_SSL_SESSION() work
> > for DTLS1_BAD_VER, or introduce a new API for setting the fields we need
> > to fake a session resume?
> >
>
> What fields do you need access to? It would be good if you could
> document them on the wiki page here:
> https://wiki.openssl.org/index.php/1.1_API_Changes
I've updated
https://wiki.openssl.org/index.php/1.1_API_Changes#Things_that_Broke_in_OpenConnect
I can either update my code to create the ASN.1 for itself and use
d2i_SSL_SESSION() relying on the patch above, or I can implement the
'alternative' new function if that's preferred.
--
David Woodhouse Open Source Technology Centre
david.woodho...@intel.com Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
