On Tue, 2015-03-03 at 12:00 +0000, Matt Caswell wrote: > > > I'll look at adding test cases to exercise the DTLS_BAD_VER support, > to > > try to avoid this kind of thing happening in future. > > > > That would be fantastic to have.
I look a quick look at this. Adding DTLSv1 and DTLSv1.2 support to ssl/ssltest.c isn't particularly hard, but we don't actually *have* server support for DTLS1_BAD_VER. I suppose I could fix it up, but it doesn't seem to make a lot of sense. It's the wrong thing to test against *anyway* since there are plenty of failure modes in which a regression could be introduced in generic code and OpenSSL would remain compatible with *itself* anyway. So I'm torn between doing a minimal reimplementation of the server side and making OpenSSL talk to that, or a dirty replay attack such as the one I had when I was first working it out: http://david.woodhou.se/dtls-test.c -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
