Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
openssl: Add SSL_OP_LEGACY_SERVER_CONNECT to allow-insecure-crypto
OpenSSL 3.0.0 onwards will require secure negotiation by default, which
Cisco servers don't seem to cope with. Let --allow-insecure-crypto turn
that off.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
  • Loading branch information
dwmw2 committed May 5, 2021
1 parent 0745545 commit c8dcf10
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions openssl.c
Expand Up @@ -1807,6 +1807,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
* For now we will set the security level to 0, thus reverting
* to the functionality seen in versions before 1.1.0. */
SSL_CTX_set_security_level(vpninfo->https_ctx, 0);

/* OpenSSL 3.0.0 refuses legacy renegotiation by default.
* Current versions of the Cisco ASA doesn't seem to cope */
SSL_CTX_set_options(vpninfo->https_ctx, SSL_OP_LEGACY_SERVER_CONNECT);
}
#endif

Expand Down

0 comments on commit c8dcf10

Please sign in to comment.