On Sun, 2016-02-07 at 20:17 +0100, Kurt Roeckx wrote:
> Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
>
> MR: #1595
> ---
> ssl/s3_lib.c | 534
> +++++++++++++++++++++++++++++++----------------
> ssl/ssl_ciph.c | 196 +++++++++--------
> ssl/ssl_lib.c | 4 +-
> ssl/ssl_locl.h | 21 +-
> ssl/ssl_txt.c | 2 +-
> ssl/statem/statem_clnt.c | 18 +-
> ssl/statem/statem_lib.c | 6 +-
> ssl/t1_lib.c | 41 ++--
> 8 files changed, 504 insertions(+), 318 deletions(-)
>
> diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
> index 51fb161..093ff09 100644
> --- a/ssl/s3_lib.c
> +++ b/ssl/s3_lib.c
> @@ -171,7 +171,8 @@ static const SSL_CIPHER ssl3_ciphers[] = {
> SSL_aRSA,
> SSL_eNULL,
> SSL_MD5,
> - SSL_SSLV3,
> + SSL3_VERSION, TLS1_2_VERSION,
> + DTLS1_VERSION, DTLS1_2_VERSION,This broke the OpenConnect VPN client, which now fails thus: DTLS handshake failed: 1 67609664:error:141640B5:SSL routines:tls_construct_client_hello:no ciphers available:ssl/statem/statem_clnt.c:927: I tried the naïvely obvious step of changing all instances of DTLS1_VERSION as the minimum, to DTLS1_BAD_VER. That didn't help. Having said that, reverting this change isn't *sufficient* to fix OpenSSL 1.1; it still fails with DTLS handshake failed: 1 67609664:error:14160098:SSL routines:read_state_machine:excessive message size:ssl/statem/statem.c:586: ... which goes back to before 1.1.0-pre1. I'll find that one later... -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
