[External]Re: openconnect+OpenSSL failing DTLS handshake with ocserv+GnuTLS
Vuille, Martin (Martin)
vmartin at avaya.com
Mon Jul 19 08:48:54 PDT 2021
I single-stepped through start_dtls_handshake() and I can see that
we end up at line 520 in openssl-dtls.c, where generate_dtls_session()
is called with DTLS1_VERSION for the dtlsver argument.
So that explains why the ClientHello has version 1.0 record/1.0 handshake.
I don't understand why ocserv has an issue with that, but that's not really
relevant to what I'm trying to do.
I replaced DTLS1_VERSION with DTLS1_2_VERSION and the handshake
succeeds. The ClientHello has version 1.2 record/1.2 handshake though,
which is not the same as with GnuTLS.
Then I replaced DTLS1_VERSION with DTLS_ANY_VERSION and that does
not work. The ClientHello has version 1.0 record/1.2 handshake, same as
GnuTLS, but is missing the session ID, has truncated cipher list, etc.
Is the hard-coding of DTLS1_VERSION expected?
MV
More information about the openconnect-devel
mailing list