Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update README.DTLS to reflect current OpenSSL versions
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
- Loading branch information
David Woodhouse
authored and
David Woodhouse
committed
May 9, 2010
1 parent
de5101f
commit 43333d2
Showing
1 changed file
with
16 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,22 +1,24 @@ | ||
Cisco's implementation of the DTLS protocol unfortunately does not | ||
comply with the relevant standards. We need some patches to OpenSSL to | ||
be compatible with it. | ||
comply with the relevant standards. OpenSSL 0.9.8m or newer, and | ||
1.0.0-beta2 or newer, contain a compatibility mode which allows | ||
interoperation with Cisco's servers. | ||
|
||
For the 0.9.8 branch of OpenSSL, the required patch is | ||
http://cvs.openssl.org/chngview?cn=18037 | ||
As long as you are using a current version of OpenSSL, you have nothing | ||
to worry about -- everything should work optimally. | ||
|
||
Without a suitable OpenSSL, the openconnect client will fall back to | ||
passing packets over the HTTPS connection. This will still work OK, but | ||
will suffer quite a lot if your connection has packet loss. For details | ||
of why that happens, see http://sites.inka.de/~W1011/devel/tcp-tcp.html | ||
|
||
If you insist on using ancient buggy versions of OpenSSL, these are the | ||
patches you require if you want DTLS to work: | ||
|
||
This was included in OpenSSL CVS in April 2009 and should be in the | ||
next release from the 0.9.8 branch, which will presumably be 0.9.8l. | ||
For versions of OpenSSL earlier than 0.9.8m, you'll need the Cisco | ||
compatibility support: | ||
http://cvs.openssl.org/chngview?cn=18037 | ||
|
||
For versions of OpenSSL earlier than 0.9.8j, a couple of other DTLS | ||
bug-fixes are also required: | ||
http://cvs.openssl.org/chngview?cn=17500 | ||
http://cvs.openssl.org/chngview?cn=17505 | ||
|
||
OpenSSL 1.0.0-beta2 and later require no patching; all the required | ||
support is already present. | ||
|
||
Without a suitable OpenSSL, the openconnect client will fall back to | ||
passing packets over the HTTPS connection. This will work, but will | ||
suffer quite a lot if your connection has packet loss. For details of | ||
why that happens, see http://sites.inka.de/~W1011/devel/tcp-tcp.html |