[openssl-dev] [openssl.org #3711] [RFC PATCH] 1.0.2 regresssion: Wrong SSL version in DTLS_BAD_VER ClientHello

2015-05-07 Thread Matt Caswell via RT
Closing this ticket now. I've given some consideration to the proposal for a DTLSv0_9_client_method(). I think however that the audience for this is *very* limited...certainly no new applications should be using this. I am sincerely hoping that sooner or later the whole DTLS1_BAD_VER thing will dis

Re: [openssl-dev] [openssl.org #3711] [RFC PATCH] 1.0.2 regresssion: Wrong SSL version in DTLS_BAD_VER ClientHello

2015-03-16 Thread David Woodhouse via RT
On Mon, 2015-03-09 at 12:11 +0100, Matt Caswell via RT wrote: > Fixed in this commit: > > https://github.com/openssl/openssl/commit/f7683aaf36341dc65672ac2ccdbfd4a232e3626d Thanks. I can confirm that OpenConnect is now working with OpenSSL HEAD again, both with DTLS1_BAD_VER talking to 'legacy' C

Re: [openssl-dev] [openssl.org #3711] [RFC PATCH] 1.0.2 regresssion: Wrong SSL version in DTLS_BAD_VER ClientHello

2015-03-16 Thread David Woodhouse
On Mon, 2015-03-09 at 12:11 +0100, Matt Caswell via RT wrote: > Fixed in this commit: > > https://github.com/openssl/openssl/commit/f7683aaf36341dc65672ac2ccdbfd4a232e3626d Thanks. I can confirm that OpenConnect is now working with OpenSSL HEAD again, both with DTLS1_BAD_VER talking to 'legacy' C

[openssl-dev] [openssl.org #3711] [RFC PATCH] 1.0.2 regresssion: Wrong SSL version in DTLS_BAD_VER ClientHello

2015-03-09 Thread Matt Caswell via RT
Fixed in this commit: https://github.com/openssl/openssl/commit/f7683aaf36341dc65672ac2ccdbfd4a232e3626d Thanks for the patch. I'm leaving this ticket open for now to consider the DTLS 0.9 method stuff (which I would look at from a master only, point of view). Matt

[openssl-dev] [openssl.org #3711] [RFC PATCH] 1.0.2 regresssion: Wrong SSL version in DTLS_BAD_VER ClientHello

2015-03-07 Thread Matt Caswell via RT
As with #3703, patch is still in review - I will chase. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3711] [RFC PATCH] 1.0.2 regresssion: Wrong SSL version in DTLS_BAD_VER ClientHello

2015-02-18 Thread David Woodhouse via RT
Or maybe we should deprecate SSL_OP_CISCO_ANYCONNECT. It would be cleaner to support it this way instead: diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index 151dd47..d4a2d15 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -133,7 +133,9 @@ static int dtls1_get_hello_verify(SSL *s); static const

[openssl-dev] [openssl.org #3711] [RFC PATCH] 1.0.2 regresssion: Wrong SSL version in DTLS_BAD_VER ClientHello

2015-02-18 Thread David Woodhouse via RT
Since commit 741c9959 ("DTLS revision."), we put the wrong protocol version into our ClientHello and potentially other packets. The old DTLS code which used ssl->version was replaced by the more generic SSL3 code which uses ssl->client_version. The Cisco ASA no longer likes our ClientHello. A patc