On Fri, 2016-07-08 at 23:59 +0200, Kurt Roeckx wrote: > > We have no test suite coverage doing anything with DTLS1_BAD_VER > and I think the OpenConnect VPN is the only user of it.
I added a basic test in PR #1296. It just simulates the basic session resume and — since it seemed relatively trivial to add while I was at it — out-of-order packet RX: https://github.com/openssl/openssl/pull/1296/commits/9538be65 This test catches all the bugs that the pull request fixes, and also tests the session resume method that OpenConnect uses, of manually building the ASN.1 with the session details and then using d2i_SSL_SESSION(). It validates the handshake MAC, which is different for DTLS1_BAD_VER because it doesn't include the handshake message headers. It also checks the handling of the 3-byte Change Cipher Spec message, in both directions. I'm currently trying to stop it whining about DTLSv1_client_method() being deprecated; I can't see how to make it work using DTLS_client_method(). -- David Woodhouse Open Source Technology Centre david.woodho...@intel.com Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
