Commit e4221aa8 authored by Nikolay Martynov's avatar Nikolay Martynov Committed by David Woodhouse

Do not try to establish DTLS on reconnect if it wasn't established before

Currently when TCP SSL fails reconnect attempt happens. This attempts tries to establish DTLS connection regadless if it existed before. Code ends up in infinite loop doing that.
This changes fixes this by disabling DTLS at startup if DTLS connection cannot be established.
Also change ESP handling code to not reenable DTLS on ESP close.
Signed-off-by: default avatarNikolay Martynov <>
Signed-off-by: default avatarDavid Woodhouse <>
parent ffee28a1
......@@ -154,6 +154,10 @@ void dtls_close(struct openconnect_info *vpninfo)
static int dtls_reconnect(struct openconnect_info *vpninfo)
if (vpninfo->dtls_state == DTLS_DISABLED)
return -EINVAL;
vpninfo->dtls_state = DTLS_SLEEPING;
return connect_dtls_socket(vpninfo);
......@@ -341,7 +341,8 @@ void esp_close(struct openconnect_info *vpninfo)
unmonitor_except_fd(vpninfo, dtls);
vpninfo->dtls_fd = -1;
vpninfo->dtls_state = DTLS_SLEEPING;
if (vpninfo->dtls_state > DTLS_DISABLED)
vpninfo->dtls_state = DTLS_SLEEPING;
void esp_shutdown(struct openconnect_info *vpninfo)
......@@ -1521,8 +1521,13 @@ int main(int argc, char **argv)
STRDUP(vpninfo->vpnc_script, vpnc_script);
if (vpninfo->dtls_state != DTLS_DISABLED &&
openconnect_setup_dtls(vpninfo, 60))
openconnect_setup_dtls(vpninfo, 60)) {
/* Disable DTLS if we cannot set it up, otherwise
* reconnects end up in infinite loop trying to connect
* to non existing DTLS */
vpninfo->dtls_state = DTLS_DISABLED;
fprintf(stderr, _("Set up DTLS failed; using SSL instead\n"));
openconnect_get_ip_info(vpninfo, &ip_info, NULL, NULL);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment