[PULL request] distinguish between different rekey methods
Nikos Mavrogiannopoulos
nmav at gnutls.org
Tue Feb 11 15:37:43 EST 2014
On 02/11/2014 05:39 PM, David Woodhouse wrote:
> On Tue, 2014-02-11 at 16:35 +0100, Nikos Mavrogiannopoulos wrote:
>>
>> I think that the "ssl" rekey option of anyconnect suits better the
>> design of ocserv, as it allows for seamless rekey of both channels
>> (without breaking the connection). However, openconnect always assumes
>> the new-tunnel rekey method, and with this patch it is made aware of
>> the different options (and currently simply ignore the ones that are
>> unsupported).
> Do we actually know how the 'ssl' rekey method works for DTLS and CSTP
> with a Cisco server?
According to their documentation it performs a rehandshake over the
session. That has to be verified with a cisco server though.
For openconnect to support that (and test it), calling
gnutls_handshake() over an existing session would be sufficient.
> Previously, if the server asked for them, we'd fall back to tearing down
> the connection and making a new one (the 'new-tunnel' method). Now we do
> nothing... isn't that going to cause a problem?
I don't think that the server would enforce that, but that's only my guess.
regards,
Nikos
More information about the openconnect-devel
mailing list