]> www.infradead.org Git - users/dwmw2/openconnect.git/commitdiff
openssl: Add SSL_OP_LEGACY_SERVER_CONNECT to allow-insecure-crypto
authorDavid Woodhouse <dwmw2@infradead.org>
Tue, 4 May 2021 16:05:49 +0000 (17:05 +0100)
committerDavid Woodhouse <dwmw2@infradead.org>
Wed, 5 May 2021 06:57:05 +0000 (07:57 +0100)
OpenSSL 3.0.0 onwards will require secure negotiation by default, which
Cisco servers don't seem to cope with. Let --allow-insecure-crypto turn
that off.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
openssl.c

index e9750e381d865372c3bb84bc238c92e744ac0400..aef7c4f9de95f65a1d3658cc0c5159b43716fb38 100644 (file)
--- a/openssl.c
+++ b/openssl.c
@@ -1807,6 +1807,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
                         * For now we will set the security level to 0, thus reverting
                         * to the functionality seen in versions before 1.1.0. */
                        SSL_CTX_set_security_level(vpninfo->https_ctx, 0);
+
+                       /* OpenSSL 3.0.0 refuses legacy renegotiation by default.
+                        * Current versions of the Cisco ASA doesn't seem to cope */
+                       SSL_CTX_set_options(vpninfo->https_ctx, SSL_OP_LEGACY_SERVER_CONNECT);
                }
 #endif