diff options
author | David Woodhouse <David.Woodhouse@intel.com> | 2016-07-25 18:03:27 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-08-04 20:56:24 +0100 |
commit | 032924c4b4104654ff8659b4701e4ab25872a12e (patch) | |
tree | a7b5757cae6a997fe0fbbbfce6117c4bcd41b0a7 /ssl/d1_lib.c | |
parent | 387cf21345f981d3897f88a6479d8e60721c2c6b (diff) |
Make DTLS1_BAD_VER work with DTLS_client_method()
DTLSv1_client_method() is deprecated, but it was the only way to obtain
DTLS1_BAD_VER support. The SSL_OP_CISCO_ANYCONNECT hack doesn't work with
DTLS_client_method(), and it's relatively non-trivial to make it work without
expanding the hack into lots of places.
So deprecate SSL_OP_CISCO_ANYCONNECT with DTLSv1_client_method(), and make
it work with SSL_CTX_set_{min,max}_proto_version(DTLS1_BAD_VER) instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'ssl/d1_lib.c')
-rw-r--r-- | ssl/d1_lib.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 0a985551b8..08a503786f 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -179,10 +179,13 @@ void dtls1_clear(SSL *s) } ssl3_clear(s); - if (s->options & SSL_OP_CISCO_ANYCONNECT) - s->client_version = s->version = DTLS1_BAD_VER; - else if (s->method->version == DTLS_ANY_VERSION) + + if (s->method->version == DTLS_ANY_VERSION) s->version = DTLS_MAX_VERSION; +#ifndef OPENSSL_NO_DTLS1_METHOD + else if (s->options & SSL_OP_CISCO_ANYCONNECT) + s->client_version = s->version = DTLS1_BAD_VER; +#endif else s->version = s->method->version; } |