Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix DTLS compatibility with ASA firmware 8.4.1(11) and above.
It seems to get very upset when we resend our ChangeCipherSpec messages,
as the RFC says we're supposed to do. Without a periodic resend, if the
original did get lost in transit, the server wouldn't be able to decrypt
any of our data packets.

Perhaps there's something "wrong" with our packets; the ChangeCipherSpec
messages is is one of the areas in which Cisco's "speshul" version of
DTLS differs from RFC4347. But the Cisco client doesn't seem to resend it
at all, ever. Making it hard to tell what Cisco want it to look like,
unless we wanted to reverse-engineer their code. Which we don't.

If Cisco get away without resending, I suppose we can, until/unless we
work it out. DPD should mostly let us get away with it, because if the
first packet *does* get lost, DPD will soon tell us that the DTLS
connection is dead and we'll make a new one. Sucks, but that's what you
get for using crappy not-quite-RFC-compliant kit. Yay Cisco. Why not join
us in 2006 and start using the proper standard? It's not even as if it'd
be hard to support both in parallel for a while.

Thanks to Eric Barkie for the initial diagnosis.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
  • Loading branch information
David Woodhouse authored and David Woodhouse committed Sep 8, 2011
1 parent 8c2796a commit 9785d0c
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 1 deletion.
8 changes: 8 additions & 0 deletions dtls.c
Expand Up @@ -272,6 +272,14 @@ int dtls_try_handshake(struct openconnect_info *vpninfo)

vpninfo->dtls_times.last_rx = vpninfo->dtls_times.last_tx = time(NULL);

/* From about 8.4.1(11) onwards, the ASA seems to get
very unhappy if we send it ChangeCipherSpec messages
after the initial setup. Disable the retransmit timer;
the Cisco client doesn't seem to do it at all, and
DPD would help us notice if the original does go AWOL
and hence the server can't decrypt any data packets. */
dtls1_stop_timer(vpninfo->dtls_ssl);

return 0;
}

Expand Down
3 changes: 2 additions & 1 deletion openconnect.html
Expand Up @@ -183,6 +183,7 @@ <H2>Release Notes / Changelog</H2>
<UL>
<LI><B>OpenConnect HEAD</B><BR>
<UL>
<LI>Fix DTLS compatibility with ASA firmware 8.4.11(11) and above.</LI>
<LI>Fix build failures on GNU Hurd, on systems with ancient OpenSSL,
and on Debian.</LI>
</UL><BR>
Expand Down Expand Up @@ -497,6 +498,6 @@ <H3>FreeBSD</H3>
<hr>
<address>David Woodhouse &lt;<A HREF="mailto:dwmw2@infradead.org">dwmw2@infradead.org</A>&gt;</address>
<!-- hhmts start -->
Last modified: Wed Jul 20 17:36:36 PDT 2011
Last modified: Thu Sep 8 14:06:19 BST 2011
<!-- hhmts end -->
</body> </html>

0 comments on commit 9785d0c

Please sign in to comment.