From: David Woodhouse <dwmw2@infradead.org>
Date: Mon, 2 Mar 2015 16:20:15 +0000 (+0000)
Subject: Wrong SSL version in DTLS1_BAD_VER ClientHello
X-Git-Tag: OpenSSL_1_0_2a~47
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0d691e0e27a5eed8ece790830b8a2168348b1373;p=openssl

Wrong SSL version in DTLS1_BAD_VER ClientHello

Since commit 741c9959 ("DTLS revision."), we put the wrong protocol
version into our ClientHello for DTLS1_BAD_VER. The old DTLS
code which used ssl->version was replaced by the more generic SSL3 code
which uses ssl->client_version. The Cisco ASA no longer likes our
ClientHello.

RT#3711

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f7683aaf36341dc65672ac2ccdbfd4a232e3626d)
---

diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 28457579b7..1f1005421e 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -270,7 +270,7 @@ void dtls1_clear(SSL *s)
 
     ssl3_clear(s);
     if (s->options & SSL_OP_CISCO_ANYCONNECT)
-        s->version = DTLS1_BAD_VER;
+        s->client_version = s->version = DTLS1_BAD_VER;
     else if (s->method->version == DTLS_ANY_VERSION)
         s->version = DTLS1_2_VERSION;
     else