Closing this ticket now. I've given some consideration to the proposal for a
DTLSv0_9_client_method(). I think however that the audience for this is *very*
limited...certainly no new applications should be using this. I am sincerely
hoping that sooner or later the whole DTLS1_BAD_VER thing will
On Mon, 2015-03-09 at 12:11 +0100, Matt Caswell via RT wrote:
Fixed in this commit:
https://github.com/openssl/openssl/commit/f7683aaf36341dc65672ac2ccdbfd4a232e3626d
Thanks. I can confirm that OpenConnect is now working with OpenSSL HEAD
again, both with DTLS1_BAD_VER talking to 'legacy'
On Mon, 2015-03-09 at 12:11 +0100, Matt Caswell via RT wrote:
Fixed in this commit:
https://github.com/openssl/openssl/commit/f7683aaf36341dc65672ac2ccdbfd4a232e3626d
Thanks. I can confirm that OpenConnect is now working with OpenSSL HEAD
again, both with DTLS1_BAD_VER talking to 'legacy'
Fixed in this commit:
https://github.com/openssl/openssl/commit/f7683aaf36341dc65672ac2ccdbfd4a232e3626d
Thanks for the patch.
I'm leaving this ticket open for now to consider the DTLS 0.9 method stuff
(which I would look at from a master only, point of view).
Matt
As with #3703, patch is still in review - I will chase.
Matt
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Since commit 741c9959 (DTLS revision.), we put the wrong protocol
version into our ClientHello and potentially other packets. The old DTLS
code which used ssl-version was replaced by the more generic SSL3 code
which uses ssl-client_version. The Cisco ASA no longer likes our
ClientHello.
A patch
Or maybe we should deprecate SSL_OP_CISCO_ANYCONNECT. It would be
cleaner to support it this way instead:
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index 151dd47..d4a2d15 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -133,7 +133,9 @@ static int dtls1_get_hello_verify(SSL *s);
static const
