ASA cipher issues, take two

David Woodhouse dwmw2 at infradead.org
Fri Sep 9 18:19:11 EDT 2011


On Fri, 2011-09-09 at 14:04 -0700, sebastian.moeller wrote:
> 
> happy user of openconect under macosx here. Recently I ran into issues
> with a recently updated ASA. DTLS kept on dropping (and until the
> first message of the fall back to https the vpn did not work at all)
> This sounds very similar to theissue tackeld in one of the recent
> commits. Only in my case the solution was to fix my version of
> openssl. Version 1.0.0.d has a known issue with a timer that seemed to
> have caused the problem in my case. 

Ah, thanks for this information. I thought those retransmits of the
ChangeCipherSpec and Finished messages were *supposed* to happen. Since
we don't get a response back from the server, we have no way of knowing
they were received... so if we don't make *sure* by retransmitting
occasionally, then *all* our data packets could be lost.

I think the biggest issue is that our ChangeCipherSpec messages are
"malformed", according to the Cisco server. Because the *retransmit*
code doesn't have the special case to do the Cisco non-RFC-compliant
version of the ChangeCipherSpec message. My attempts to remedy that
didn't seem to help, and I don't really want to make people wait for a
new version of OpenSSL — so the call to dtls1_stop_timer() seems to be
the best approach for now, I think.

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5818 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20110909/7536b5f8/attachment.bin>


More information about the openconnect-devel mailing list