Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
DTLS: Don't require secure renegotiation from Cisco
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
  • Loading branch information
dwmw2 committed May 5, 2021
1 parent 98f477b commit 9457f40
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 1 deletion.
9 changes: 9 additions & 0 deletions openssl-dtls.c
Expand Up @@ -435,6 +435,15 @@ int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
*/
SSL_CTX_set_options(vpninfo->dtls_ctx, SSL_OP_NO_ENCRYPT_THEN_MAC);
#endif
#ifdef SSL_OP_LEGACY_SERVER_CONNECT
/*
* Since https://github.com/openssl/openssl/pull/15127, OpenSSL
* *requires* secure renegotiation support by default. For interop
* with Cisco's resumed DTLS sessions, we have to turn that off.
*/
if (dtlsver)
SSL_CTX_set_options(vpninfo->dtls_ctx, SSL_OP_LEGACY_SERVER_CONNECT);
#endif
#ifdef SSL_OP_NO_EXTENDED_MASTER_SECRET
/* RFC7627 says:
*
Expand Down
3 changes: 2 additions & 1 deletion tests/bad_dtls_test.c
Expand Up @@ -788,7 +788,8 @@ int main(int argc, char *argv[])
ctx = SSL_CTX_new(DTLS_client_method());
if (ctx == NULL ||
!SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER) ||
!SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER)) {
!SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER) ||
!SSL_CTX_set_options(ctx, SSL_OP_LEGACY_SERVER_CONNECT)) {
printf("Failed to allocate SSL_CTX\n");
goto end_md;
}
Expand Down

0 comments on commit 9457f40

Please sign in to comment.