Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fix DTLS compatibility with ASA firmware 8.4.1(11) and above.
It seems to get very upset when we resend our ChangeCipherSpec messages, as the RFC says we're supposed to do. Without a periodic resend, if the original did get lost in transit, the server wouldn't be able to decrypt any of our data packets. Perhaps there's something "wrong" with our packets; the ChangeCipherSpec messages is is one of the areas in which Cisco's "speshul" version of DTLS differs from RFC4347. But the Cisco client doesn't seem to resend it at all, ever. Making it hard to tell what Cisco want it to look like, unless we wanted to reverse-engineer their code. Which we don't. If Cisco get away without resending, I suppose we can, until/unless we work it out. DPD should mostly let us get away with it, because if the first packet *does* get lost, DPD will soon tell us that the DTLS connection is dead and we'll make a new one. Sucks, but that's what you get for using crappy not-quite-RFC-compliant kit. Yay Cisco. Why not join us in 2006 and start using the proper standard? It's not even as if it'd be hard to support both in parallel for a while. Thanks to Eric Barkie for the initial diagnosis. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
- Loading branch information