Allow DTLS version negotiation with PSK-NEGOTIATE and OpenSSL 1.0.2

We can use DTLS_client_method() here too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/openssl-dtls.c b/openssl-dtls.c
index 21e70b06b708f798632992f6a5c868ab4ab7f7df..326428a13af98eededb229bb22fafeb2851395ce 100644 (file)
--- a/openssl-dtls.c
+++ b/openssl-dtls.c
@@ -253,15 +253,16 @@ int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
 #endif
 
        if (!vpninfo->dtls_ctx) {
+#ifdef HAVE_DTLS12
+               dtls_method = DTLS_client_method();
+#endif
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+               if (dtlsver == DTLS1_BAD_VER)
+                       dtls_method = DTLSv1_client_method();
 #ifdef HAVE_DTLS12
-               if (dtlsver == DTLS1_2_VERSION)
+               else if (dtlsver == DTLS1_2_VERSION)
                        dtls_method = DTLSv1_2_client_method();
-               else
 #endif
-                       dtls_method = DTLSv1_client_method();
-#else
-               dtls_method = DTLS_client_method();
 #endif
                vpninfo->dtls_ctx = SSL_CTX_new(dtls_method);
                if (!vpninfo->dtls_ctx) {