[External]Re: openconnect+OpenSSL failing DTLS handshake with ocserv+GnuTLS
Vuille, Martin (Martin)
vmartin at avaya.com
Mon Jul 19 11:07:25 PDT 2021
> Good to know. I don't think we would want to use this as a "permanent"
> solution, however, since the intent of PSK-NEGOTIATE is that it will, well, "negotiate" the desired version of DTLS.
Indeed. Hence my further test.
> That's confusing! generate_dtls_session should definitely be setting the session_id in this case.
>
> It *seems* like the right fix should be to use DTLS_ANY_VERSION.
> You're saying that the following *does not work*?
>
> diff --git a/openssl-dtls.c b/openssl-dtls.c index 76bcd2f1..6501d8d8 100644
> --- a/openssl-dtls.c
> +++ b/openssl-dtls.c
> @@ -560,7 +560,8 @@ int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
> * and isn't actually going to be resumed at all.
> */
> const uint8_t cs[2] = {0x00, 0x2F}; /* RSA-AES-128 */work
> - dtls_session = generate_dtls_session(vpninfo, DTLS1_VERSION,
> + dtls_session = generate_dtls_session(vpninfo,
> + DTLS_ANY_VERSION,
>
> SSL_CIPHER_find(dtls_ssl, cs),
> 1);
> if (!dtls_session) {
Correct, that does not work. I single-stepped through generate_dtls_session() and
there is definitely a session ID being created and added, using the dtls_app_id from vpninfo.
Then we go back to start_dtls_handshake(), which calls dtls_try_handshake(), which
calls SSL_do_handshake().
SSL_do_handshake() fails with SSL_ERROR_WANT_READ, presumably because
ocserv ignores the ClientHello with no session ID. ocserv doesn't even log an error.
MV
More information about the openconnect-devel
mailing list