Make DTLS1_BAD_VER work with DTLS_client_method() DTLSv1_client_method() is deprecated, but it was the only way to obtain DTLS1_BAD_VER support. The SSL_OP_CISCO_ANYCONNECT hack doesn't work with DTLS_client_method(), and it's relatively non-trivial to make it work without expanding the hack into lots of places. So deprecate SSL_OP_CISCO_ANYCONNECT with DTLSv1_client_method(), and make it work with SSL_CTX_set_{min,max}_proto_version(DTLS1_BAD_VER) instead. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>

commit: 032924c4b4104654ff8659b4701e4ab25872a12e [log] [tgz]
author: David Woodhouse <David.Woodhouse@intel.com> Mon Jul 25 18:03:27 2016 +0100
committer: Matt Caswell <matt@openssl.org> Thu Aug 04 20:56:24 2016 +0100
tree: a7b5757cae6a997fe0fbbbfce6117c4bcd41b0a7
parent: 387cf21345f981d3897f88a6479d8e60721c2c6b [diff] [blame]
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 0a98555..08a5037 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c

@@ -179,10 +179,13 @@
     }
 
     ssl3_clear(s);
-    if (s->options & SSL_OP_CISCO_ANYCONNECT)
-        s->client_version = s->version = DTLS1_BAD_VER;
-    else if (s->method->version == DTLS_ANY_VERSION)
+
+    if (s->method->version == DTLS_ANY_VERSION)
         s->version = DTLS_MAX_VERSION;
+#ifndef OPENSSL_NO_DTLS1_METHOD
+    else if (s->options & SSL_OP_CISCO_ANYCONNECT)
+        s->client_version = s->version = DTLS1_BAD_VER;
+#endif
     else
         s->version = s->method->version;
 }
commit	032924c4b4104654ff8659b4701e4ab25872a12e	[log] [tgz]
author	David Woodhouse <David.Woodhouse@intel.com>	Mon Jul 25 18:03:27 2016 +0100
committer	Matt Caswell <matt@openssl.org>	Thu Aug 04 20:56:24 2016 +0100
tree	a7b5757cae6a997fe0fbbbfce6117c4bcd41b0a7
parent	387cf21345f981d3897f88a6479d8e60721c2c6b [diff] [blame]