Re: [openssl-dev] [PATCH] Add support for minimum and maximum protocol version supported by a cipher

2016-07-25 Thread David Woodhouse
On Mon, 2016-07-25 at 16:29 +0100, David Woodhouse wrote: > I'm currently trying to stop it whining about DTLSv1_client_method() > being deprecated; I can't see how to make it work using > DTLS_client_method(). The SSL_OP_CISCO_ANYCONNECT hack doesn't work so well with DTLS_client_method. Instead

Re: [openssl-dev] [PATCH] Add support for minimum and maximum protocol version supported by a cipher

2016-07-25 Thread David Woodhouse
On Fri, 2016-07-08 at 23:59 +0200, Kurt Roeckx wrote: > > We have no test suite coverage doing anything with DTLS1_BAD_VER > and I think the OpenConnect VPN is the only user of it. I added a basic test in PR #1296. It just simulates the basic session resume and — since it seemed relatively

Re: [openssl-dev] [PATCH] Add support for minimum and maximum protocol version supported by a cipher

2016-07-08 Thread David Woodhouse
On Fri, 2016-07-08 at 23:59 +0200, Kurt Roeckx wrote: > > Can you describe how DTLS1_BAD_VER is supposed to work?  Is this > version send over the wire?  Is it negotiated? It does indeed appear on the wire. In the AnyConnect/OpenConnect case — which, as you rightly observe, is the only

Re: [openssl-dev] [PATCH] Add support for minimum and maximum protocol version supported by a cipher

2016-07-08 Thread Kurt Roeckx
On Fri, Jul 08, 2016 at 05:43:21PM +0100, David Woodhouse wrote: > > This broke the OpenConnect VPN client, which now fails thus: > > DTLS handshake failed: 1 > 67609664:error:141640B5:SSL routines:tls_construct_client_hello:no ciphers > available:ssl/statem/statem_clnt.c:927: > > I tried the

Re: [openssl-dev] [PATCH] Add support for minimum and maximum protocol version supported by a cipher

2016-07-08 Thread David Woodhouse
On Fri, 2016-07-08 at 19:13 +, Viktor Dukhovni wrote: > > Perhaps rename dtls_ver_cmp() to dtls_ver_ordinal(), "cmp" suggests > that you're actually doing a comparison.  Well, 'cmp' with one argument isn't *so* easily interpreted as a comparison, but OK :) I've also added a comment

Re: [openssl-dev] [PATCH] Add support for minimum and maximum protocol version supported by a cipher

2016-07-08 Thread Viktor Dukhovni
On Fri, Jul 08, 2016 at 07:30:26PM +0100, David Woodhouse wrote: > > I tried the naïvely obvious step of changing all instances of > > DTLS1_VERSION as the minimum, to DTLS1_BAD_VER. That didn't help. > > Of course, it's because DTLS_VERSION_LT and friends are doing precisely > the opposite of

Re: [openssl-dev] [PATCH] Add support for minimum and maximum protocol version supported by a cipher

2016-07-08 Thread David Woodhouse
On Fri, 2016-07-08 at 17:43 +0100, David Woodhouse wrote: > On Sun, 2016-02-07 at 20:17 +0100, Kurt Roeckx wrote: > > Reviewed-by: Viktor Dukhovni > > > > MR: #1595 > > --- > >  ssl/s3_lib.c | 534 > > +++ > >  

Re: [openssl-dev] [PATCH] Add support for minimum and maximum protocol version supported by a cipher

2016-07-08 Thread David Woodhouse
On Sun, 2016-02-07 at 20:17 +0100, Kurt Roeckx wrote: > Reviewed-by: Viktor Dukhovni > > MR: #1595 > --- >  ssl/s3_lib.c | 534 > +++ >  ssl/ssl_ciph.c   | 196 + >  ssl/ssl_lib.c    |   4