Signed-off-by: David Woodhouse <dwmw2@infradead.org>
*/
SSL_CTX_set_options(vpninfo->dtls_ctx, SSL_OP_NO_ENCRYPT_THEN_MAC);
#endif
+#ifdef SSL_OP_LEGACY_SERVER_CONNECT
+ /*
+ * Since https://github.com/openssl/openssl/pull/15127, OpenSSL
+ * *requires* secure renegotiation support by default. For interop
+ * with Cisco's resumed DTLS sessions, we have to turn that off.
+ */
+ if (dtlsver)
+ SSL_CTX_set_options(vpninfo->dtls_ctx, SSL_OP_LEGACY_SERVER_CONNECT);
+#endif
#ifdef SSL_OP_NO_EXTENDED_MASTER_SECRET
/* RFC7627 says:
*
ctx = SSL_CTX_new(DTLS_client_method());
if (ctx == NULL ||
!SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER) ||
- !SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER)) {
+ !SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER) ||
+ !SSL_CTX_set_options(ctx, SSL_OP_LEGACY_SERVER_CONNECT)) {
printf("Failed to allocate SSL_CTX\n");
goto end_md;
}
projects / users / dwmw2 / openconnect.git / commitdiff