include negotiated [D]TLS version in ciphersuite string for OpenSSL (…

…GnuTLS already does this)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

library.c

@@ -389,11 +389,14 @@ void openconnect_vpninfo_free(struct openconnect_info *vpninfo)
 	free(vpninfo->ifname);
 	free(vpninfo->dtls_cipher);
 	free(vpninfo->peer_cert_hash);
-#if defined(OPENCONNECT_OPENSSL) && defined (HAVE_BIO_METH_FREE)
+#if defined(OPENCONNECT_OPENSSL)
+	free(vpninfo->cstp_cipher);
+#if defined(HAVE_BIO_METH_FREE)
 	if (vpninfo->ttls_bio_meth)
 		BIO_meth_free(vpninfo->ttls_bio_meth);
+#endif
 #elif defined(OPENCONNECT_GNUTLS)
-	gnutls_free(vpninfo->cstp_cipher); /* In OpenSSL this is const */
+	gnutls_free(vpninfo->cstp_cipher);
 #ifdef HAVE_DTLS
 	gnutls_free(vpninfo->gnutls_dtls_cipher);
 #endif

openssl-dtls.c

@@ -603,8 +603,8 @@ int dtls_try_handshake(struct openconnect_info *vpninfo)
 
 		vpninfo->dtls_state = DTLS_CONNECTED;
 		vpn_progress(vpninfo, PRG_INFO,
-			     _("Established DTLS connection (using OpenSSL). Ciphersuite %s.\n"),
-			     SSL_get_cipher(vpninfo->dtls_ssl));
+			     _("Established DTLS connection (using OpenSSL). Ciphersuite %s-%s.\n"),
+			     SSL_get_version(vpninfo->dtls_ssl), SSL_get_cipher(vpninfo->dtls_ssl));
 
 		c = openconnect_get_dtls_compression(vpninfo);
 		if (c) {

openssl.c

@@ -1670,6 +1670,7 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 	}
 	free(vpninfo->peer_cert_hash);
 	vpninfo->peer_cert_hash = NULL;
+	free(vpninfo->cstp_cipher);
 	vpninfo->cstp_cipher = NULL;
 
 	ssl_sock = connect_https_socket(vpninfo);
@@ -1878,7 +1879,12 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 		}
 	}
 
-	vpninfo->cstp_cipher = (char *)SSL_get_cipher_name(https_ssl);
+	if (asprintf(&vpninfo->cstp_cipher, "%s-%s",
+		     SSL_get_version(https_ssl), SSL_get_cipher_name(https_ssl)) < 0) {
+		SSL_free(https_ssl);
+		closesocket(ssl_sock);
+		return -ENOMEM;
+	}
 
 	vpninfo->ssl_fd = ssl_sock;
 	vpninfo->https_ssl = https_ssl;