Clean up DTLS timer workaround to make it work with Debian OpenSSL, hopefully
The Debian libraries don't export dtls1_stop_timer() since it's supposed to
be an internal function. But thankfully I think we can do it manually. This
sucks; it means that a misguided attempt at restricting us has forced us
into poking at even *more* internal stuff than we ever wanted to. Yay Debian.
Try to make it slightly less insane by putting upper and lower bounds on
the versions for which we'll do it: We know that OpenSSL 1.0.0e and
above won't be resending the ChangeCipherSpec messages anyway, because
of the fix for OpenSSL RT#2505. I'm dubious about that being the correct
thing to do, but it's working and it matches the Cisco client so I'm going
to try not to think about it too hard.
Also stop *defining* SSL_OP_CISCO_ANYCONNECT for ourselves, and simply
refuse to build DTLS support if it's absent. That patch is merged into
OpenSSL long ago, so we are effectively requiring 0.9.8m or above.
That version is, by coincidence, also the first version where our own
dirty reimplementation of dtls1_stop_timer() is valid. If someone does
backport the Cisco compatibility patch to even-more-ancient OpenSSL than
that, they'd best make sure they backport the other fixes too.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>