On Mon, 2016-07-25 at 16:29 +0100, David Woodhouse wrote:
> I'm currently trying to stop it whining about DTLSv1_client_method()
> being deprecated; I can't see how to make it work using
> DTLS_client_method().
The SSL_OP_CISCO_ANYCONNECT hack doesn't work so well with
DTLS_client_method. Instead
On Fri, 2016-07-08 at 23:59 +0200, Kurt Roeckx wrote:
>
> We have no test suite coverage doing anything with DTLS1_BAD_VER
> and I think the OpenConnect VPN is the only user of it.
I added a basic test in PR #1296. It just simulates the basic session
resume and — since it seemed relatively
On Fri, 2016-07-08 at 23:59 +0200, Kurt Roeckx wrote:
>
> Can you describe how DTLS1_BAD_VER is supposed to work? Is this
> version send over the wire? Is it negotiated?
It does indeed appear on the wire.
In the AnyConnect/OpenConnect case — which, as you rightly observe, is
the only
On Fri, Jul 08, 2016 at 05:43:21PM +0100, David Woodhouse wrote:
>
> This broke the OpenConnect VPN client, which now fails thus:
>
> DTLS handshake failed: 1
> 67609664:error:141640B5:SSL routines:tls_construct_client_hello:no ciphers
> available:ssl/statem/statem_clnt.c:927:
>
> I tried the
On Fri, 2016-07-08 at 19:13 +, Viktor Dukhovni wrote:
>
> Perhaps rename dtls_ver_cmp() to dtls_ver_ordinal(), "cmp" suggests
> that you're actually doing a comparison.
Well, 'cmp' with one argument isn't *so* easily interpreted as a
comparison, but OK :)
I've also added a comment
On Fri, Jul 08, 2016 at 07:30:26PM +0100, David Woodhouse wrote:
> > I tried the naïvely obvious step of changing all instances of
> > DTLS1_VERSION as the minimum, to DTLS1_BAD_VER. That didn't help.
>
> Of course, it's because DTLS_VERSION_LT and friends are doing precisely
> the opposite of
On Fri, 2016-07-08 at 17:43 +0100, David Woodhouse wrote:
> On Sun, 2016-02-07 at 20:17 +0100, Kurt Roeckx wrote:
> > Reviewed-by: Viktor Dukhovni
> >
> > MR: #1595
> > ---
> > ssl/s3_lib.c | 534
> > +++
> >
On Sun, 2016-02-07 at 20:17 +0100, Kurt Roeckx wrote:
> Reviewed-by: Viktor Dukhovni
>
> MR: #1595
> ---
> ssl/s3_lib.c | 534
> +++
> ssl/ssl_ciph.c | 196 +
> ssl/ssl_lib.c | 4