From: David Woodhouse <dwmw2@infradead.org>
Date: Tue, 4 May 2021 16:05:49 +0000 (+0100)
Subject: openssl: Add SSL_OP_LEGACY_SERVER_CONNECT to allow-insecure-crypto
X-Git-Tag: v8.20~232
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=c8dcf10cb9bd63c3148922c42b9c47392c89fe9d;p=users%2Fdwmw2%2Fopenconnect.git

openssl: Add SSL_OP_LEGACY_SERVER_CONNECT to allow-insecure-crypto

OpenSSL 3.0.0 onwards will require secure negotiation by default, which
Cisco servers don't seem to cope with. Let --allow-insecure-crypto turn
that off.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---

diff --git a/openssl.c b/openssl.c
index e9750e38..aef7c4f9 100644
--- a/openssl.c
+++ b/openssl.c
@@ -1807,6 +1807,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 			 * For now we will set the security level to 0, thus reverting
 			 * to the functionality seen in versions before 1.1.0. */
 			SSL_CTX_set_security_level(vpninfo->https_ctx, 0);
+
+			/* OpenSSL 3.0.0 refuses legacy renegotiation by default.
+			 * Current versions of the Cisco ASA doesn't seem to cope */
+			SSL_CTX_set_options(vpninfo->https_ctx, SSL_OP_LEGACY_SERVER_CONNECT);
 		}
 #endif