The Cisco AnyConnect VPN protocol establishes a connection over HTTPS and negotiates parameters (cipher, master secret & session ID) for a DTLS connection which is then "resumed".
The OpenConnect VPN client handles this by using SSL_SESSION_new(), manually setting the appropriate fields in the structure, and then using SSL_set_session(). This code can be seen at http://git.infradead.org/users/dwmw2/openconnect.git/blob/fa5cea08:/dtls.c#l147 Commit b6ba401497 in OpenSSL broke this, because the SSL_SESSION became opaque — with no alternative method that I can see to do what's needed. I played with manually creating the ASN.1 representation of a session and feeding it to d2i_SSL_SESSION() but that fails because ssl_version is 0x100 (DTLS1_BAD_VER) and d2i_SSL_SESSION() only works if the SSL version major is >= SSL3_VERSION_MAJOR. So I'm going to need to fix *something* in OpenSSL HEAD to make this work again. Should I do the minimal "fix" to make d2i_SSL_SESSION() work for DTLS1_BAD_VER, or introduce a new API for setting the fields we need to fake a session resume? -- David Woodhouse Open Source Technology Centre david.woodho...@intel.com Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
