From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Date: Wed, 21 Feb 2024 20:56:03 +0000 (+0100)
Subject: openssl-dtls: set security level to zero when negotiating DTLS 1.0 or earlier
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=6b603d1aec28f7f68f90d4cd5fe4a421c792b63c;p=users%2Fdwmw2%2Fopenconnect.git

openssl-dtls: set security level to zero when negotiating DTLS 1.0 or earlier

This addresses the issue of openssl 3.1 running in fedora39.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
---

diff --git a/openssl-dtls.c b/openssl-dtls.c
index 69a8f744..2a061ad8 100644
--- a/openssl-dtls.c
+++ b/openssl-dtls.c
@@ -390,6 +390,15 @@ int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
 		if (dtlsver == DTLS1_BAD_VER)
 			SSL_CTX_set_options(vpninfo->dtls_ctx, SSL_OP_CISCO_ANYCONNECT);
 #endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x030100000L
+		/* After openssl 3.1, DTLS 1.0 and earlier cannot be negotiated
+		 * without reducing the security level. See openssl commit
+		 * a8b6c9f83ce49b6192137c7600532441db885e19 */
+		if (!dtlsver)
+			SSL_CTX_set_security_level(vpninfo->dtls_ctx, 0);
+#endif
+
 		/* If we don't readahead, then we do short reads and throw
 		   away the tail of data packets. */
 		SSL_CTX_set_read_ahead(vpninfo->dtls_ctx, 1);