From: David Woodhouse <David.Woodhouse@intel.com>
Date: Tue, 4 Oct 2016 22:52:31 +0000 (+0100)
Subject: Allow DTLS version negotiation with PSK-NEGOTIATE and OpenSSL 1.0.2
X-Git-Tag: v7.08~16
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=97d97dff07aa764799437a1f2b8f082939d4265b;p=users%2Fdwmw2%2Fopenconnect.git

Allow DTLS version negotiation with PSK-NEGOTIATE and OpenSSL 1.0.2

We can use DTLS_client_method() here too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---

diff --git a/openssl-dtls.c b/openssl-dtls.c
index 21e70b06..326428a1 100644
--- a/openssl-dtls.c
+++ b/openssl-dtls.c
@@ -253,15 +253,16 @@ int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
 #endif
 
 	if (!vpninfo->dtls_ctx) {
+#ifdef HAVE_DTLS12
+		dtls_method = DTLS_client_method();
+#endif
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+		if (dtlsver == DTLS1_BAD_VER)
+			dtls_method = DTLSv1_client_method();
 #ifdef HAVE_DTLS12
-		if (dtlsver == DTLS1_2_VERSION)
+		else if (dtlsver == DTLS1_2_VERSION)
 			dtls_method = DTLSv1_2_client_method();
-		else
 #endif
-			dtls_method = DTLSv1_client_method();
-#else
-		dtls_method = DTLS_client_method();
 #endif
 		vpninfo->dtls_ctx = SSL_CTX_new(dtls_method);
 		if (!vpninfo->dtls_ctx) {