[External]Re: openconnect+OpenSSL failing DTLS handshake with ocserv+GnuTLS

Vuille, Martin (Martin) vmartin at avaya.com
Mon Jul 19 11:07:25 PDT 2021


> Good to know. I don't think we would want to use this as a "permanent"
> solution, however, since the intent of PSK-NEGOTIATE is that it will, well, "negotiate" the desired version of DTLS.

Indeed. Hence my further test.

> That's confusing! generate_dtls_session should definitely be setting the session_id in this case.
>
> It *seems* like the right fix should be to use DTLS_ANY_VERSION.
> You're saying that the following *does not work*?
>
> diff --git a/openssl-dtls.c b/openssl-dtls.c index 76bcd2f1..6501d8d8 100644
> --- a/openssl-dtls.c
> +++ b/openssl-dtls.c
> @@ -560,7 +560,8 @@ int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
>                  * and isn't actually going to be resumed at all.
>                  */
>                 const uint8_t cs[2] = {0x00, 0x2F}; /* RSA-AES-128 */work
> -               dtls_session = generate_dtls_session(vpninfo, DTLS1_VERSION,
> +               dtls_session = generate_dtls_session(vpninfo, 
> + DTLS_ANY_VERSION,
>
> SSL_CIPHER_find(dtls_ssl, cs),
>                                                      1);
>                if (!dtls_session) {

Correct, that does not work. I single-stepped through generate_dtls_session() and
there is definitely a session ID being created and added, using the dtls_app_id from vpninfo.
Then we go back to start_dtls_handshake(), which calls dtls_try_handshake(), which
calls SSL_do_handshake().

SSL_do_handshake() fails with SSL_ERROR_WANT_READ, presumably because
ocserv ignores the ClientHello with no session ID. ocserv doesn't even log an error.

MV


More information about the openconnect-devel mailing list