diff options
| author | David Woodhouse <David.Woodhouse@intel.com> | 2016-07-25 18:03:27 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2016-08-04 20:56:24 +0100 |
| commit | 032924c4b4104654ff8659b4701e4ab25872a12e (patch) | |
| tree | a7b5757cae6a997fe0fbbbfce6117c4bcd41b0a7 /include | |
| parent | 387cf21345f981d3897f88a6479d8e60721c2c6b (diff) | |
Make DTLS1_BAD_VER work with DTLS_client_method()
DTLSv1_client_method() is deprecated, but it was the only way to obtain
DTLS1_BAD_VER support. The SSL_OP_CISCO_ANYCONNECT hack doesn't work with
DTLS_client_method(), and it's relatively non-trivial to make it work without
expanding the hack into lots of places.
So deprecate SSL_OP_CISCO_ANYCONNECT with DTLSv1_client_method(), and make
it work with SSL_CTX_set_{min,max}_proto_version(DTLS1_BAD_VER) instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/openssl/ssl.h | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 2aca2f94d5..e58ad30099 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -306,8 +306,11 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type, # define SSL_OP_COOKIE_EXCHANGE 0x00002000U /* Don't use RFC4507 ticket extension */ # define SSL_OP_NO_TICKET 0x00004000U -/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */ -# define SSL_OP_CISCO_ANYCONNECT 0x00008000U +# ifndef OPENSSL_NO_DTLS1_METHOD +/* Use Cisco's "speshul" version of DTLS_BAD_VER + * (only with deprecated DTLSv1_client_method()) */ +# define SSL_OP_CISCO_ANYCONNECT 0x00008000U +# endif /* As server, disallow session resumption on renegotiation */ # define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000U |