Bug 464629 - RFE: Support Cisco's version of DTLS
RFE: Support Cisco's version of DTLS
Product: Fedora
Classification: Fedora
Component: openssl (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-09-29 15:08 EDT by David Woodhouse
Modified: 2009-05-15 19:28 EDT (History)
1 user (show)

See Also:
Fixed In Version: 0.9.8g-13.fc10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-05-08 23:57:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Woodhouse 2008-09-29 15:08:00 EDT
I would like to ship a client for Cisco's "AnyConnect" VPN in Fedora.

AnyConnect uses a version of the DTLS protocol which slightly predates RFC4347, and is in fact based on the version that was implemented in OpenSSL around version 0.9.8e.

I've reverse-engineered the differences, and posted a patch to the openssl-dev list: http://marc.info/?l=openssl-dev&m=122268270219339&w=2

It could do with someone more clueful about TLS and OpenSSL going over it -- and because it adds a new compatibility option, it should probably get into OpenSSL upstream before we ship it.
Comment 1 Tomas Mraz 2008-09-30 03:03:43 EDT
Yes, it should definitely go into upstream first.
Comment 2 David Woodhouse 2008-09-30 03:24:33 EDT
It could do with someone more clueful than I to shepherd it there. I am entirely clueless when it comes to this stuff.

Could I trouble you to respond to my patch on openssl-dev with a basic review?
Comment 3 Tomas Mraz 2008-09-30 03:51:20 EDT
Just looking quickly at it - there might be problem with setting the s->version to DTLS1_BAD_VER based on the option which means you have to modify so many tests for the DTLS. IMO clearer approach would be to just use the option on places where the CISCO protocol really requires to use the DTLS1_BAD_VER instead of the DTLS1_VERSION.
Comment 4 David Woodhouse 2008-09-30 05:14:28 EDT
Actually I think the patch comes out smaller that way. We do modify s->version elsewhere, when we want to start communicating with a different version of the protocol. If we don't do that, we have a lot more sites to modify, where we no longer send or expect s->version in a packet but instead hard-code DTLS1_BAD_VER instead.

I tried it; the patch at http://david.woodhou.se/no-change-version.patch still isn't working and is already larger than the previous one.
Comment 5 David Woodhouse 2008-12-21 05:27:31 EST
We're now shipping the openconnect client for Cisco VPN, but it still doesn't work with DTLS because we need this patch...

http://rt.openssl.org/Ticket/Display.html?id=1751 (guest/guest)
Comment 6 Tomas Mraz 2008-12-22 03:26:29 EST
Unfortunately upstream rejected this patch.
Comment 7 David Woodhouse 2008-12-22 03:37:32 EST
I don't think so. Someone expressed reservations about applying it to HEAD, where we don't even have _server_ support for DTLS1_BAD_VER at the moment. But for the 0.9.8 branch I think they're just being characteristically slow.

I'm sure they're not really going to tell us that we need to do our own  completely new implementation of DTLS just to interoperate with the older OpenSSL-specific version of DTLS, rather than applying this simple patch.
Comment 8 David Woodhouse 2009-04-19 20:56:54 EDT
Now committed to OpenSSL upstream (both 1.0.0 and 0.9.8 branches).

Comment 9 Fedora Update System 2009-04-21 10:06:52 EDT
openssl-0.9.8k-4.fc11 has been submitted as an update for Fedora 11.
Comment 10 Fedora Update System 2009-04-21 10:08:08 EDT
openssl-0.9.8g-13.fc10 has been submitted as an update for Fedora 10.
Comment 11 Fedora Update System 2009-04-21 20:56:02 EDT
openssl-0.9.8g-13.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update openssl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-3806
Comment 12 Fedora Update System 2009-05-08 23:56:55 EDT
openssl-0.9.8g-13.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2009-05-15 19:28:16 EDT
openssl-0.9.8k-4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.