Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Disable DTLS for GnuTLS 3.6.3 - 3.6.12
Upgrade to 3.6.13.
https://gitlab.com/gnutls/gnutls/-/issues/960

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
  • Loading branch information
dwmw2 committed Mar 30, 2020
1 parent 6ed54f5 commit 47765e7
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 0 deletions.
9 changes: 9 additions & 0 deletions gnutls.c
Expand Up @@ -2241,6 +2241,15 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
#endif

#ifdef HAVE_DTLS
if (vpninfo->dtls_state != DTLS_DISABLED && vpninfo->proto->udp_setup == dtls_setup &&
gnutls_check_version_numeric(3,6,3) && !gnutls_check_version_numeric(3,6,12)) {
vpn_progress(vpninfo, PRG_ERR,
_("Disabling DTLS: This version of the GnuTLS library has an insecure DTLS implementation.\n"));
vpninfo->dtls_state = DTLS_DISABLED;
}
#endif

err = cstp_handshake(vpninfo, 1);
if (err)
return err;
Expand Down
1 change: 1 addition & 0 deletions www/changelog.xml
Expand Up @@ -25,6 +25,7 @@
<li>Ignore missing Cisco CSD stub and simply CSD subprocess invocation (<a href="https://gitlab.com/openconnect/openconnect/merge_requests/77">!77</a>, <a href="https://gitlab.com/openconnect/openconnect/merge_requests/74">!74</a>).</li>
<li>Pass <tt>IDLE_TIMEOUT</tt> to vpnc-script (<a href="https://gitlab.com/openconnect/openconnect/merge_requests/67">!67</a>).</li>
<li>Windows line-ending flexibility for standard input (<a href="https://gitlab.com/openconnect/openconnect/merge_requests/78">!78</a>).</li>
<li>Disable DTLS for GnuTLS versions between 3.6.3 and 3.6.13 inclusive due to <a href="https://gitlab.com/gnutls/gnutls/-/issues/960">GnuTLS #960</a>.</li>
<li>Add RFC6750 Bearer token support (<a href="https://gitlab.com/openconnect/openconnect/-/merge_requests/70">!70</a>).</li>
</ul><br/>
</li>
Expand Down

0 comments on commit 47765e7

Please sign in to comment.