Or maybe we should deprecate SSL_OP_CISCO_ANYCONNECT. It would be cleaner to support it this way instead:
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index 151dd47..d4a2d15 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -133,7 +133,9 @@ static int dtls1_get_hello_verify(SSL *s);
static const SSL_METHOD *dtls1_get_client_method(int ver)
{
- if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
+ if (ver == DTLS1_BAD_VER)
+ return (DTLSv0_9_client_method());
+ else if (ver == DTLS1_VERSION)
return (DTLSv1_client_method());
else if (ver == DTLS1_2_VERSION)
return (DTLSv1_2_client_method());
@@ -141,6 +143,12 @@ static const SSL_METHOD *dtls1_get_client_method(int ver)
return (NULL);
}
+IMPLEMENT_dtls1_meth_func(DTLS1_BAD_VER,
+ DTLSv0_9_client_method,
+ ssl_undefined_function,
+ dtls1_connect,
+ dtls1_get_client_method, DTLSv1_enc_data)
+
IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
DTLSv1_client_method,
ssl_undefined_function,
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 13fb053..6a559b7 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1611,6 +1611,11 @@ const SSL_METHOD *TLSv1_2_method(void); /* TLSv1.2 */
const SSL_METHOD *TLSv1_2_server_method(void); /* TLSv1.2 */
const SSL_METHOD *TLSv1_2_client_method(void); /* TLSv1.2 */
+/* For reasons not entirely clear to anyone, Cisco still uses this
+ * in their AnyConnect VPN and haven't managed to update even to
+ * DTLS v1.0. So we still need to support it for compatibility */
+const SSL_METHOD *DTLSv0_9_client_method(void); /* pre-OpenSSL 0.9.8f */
+
const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */
const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */
const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */
--
dwmw2
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
