Fix DTLS compatibility with ASA firmware 8.4.1(11) and above.

It seems to get very upset when we resend our ChangeCipherSpec messages,
as the RFC says we're supposed to do. Without a periodic resend, if the
original did get lost in transit, the server wouldn't be able to decrypt
any of our data packets.

Perhaps there's something "wrong" with our packets; the ChangeCipherSpec
messages is is one of the areas in which Cisco's "speshul" version of
DTLS differs from RFC4347. But the Cisco client doesn't seem to resend it
at all, ever. Making it hard to tell what Cisco want it to look like,
unless we wanted to reverse-engineer their code. Which we don't.

If Cisco get away without resending, I suppose we can, until/unless we
work it out. DPD should mostly let us get away with it, because if the
first packet *does* get lost, DPD will soon tell us that the DTLS
connection is dead and we'll make a new one. Sucks, but that's what you
get for using crappy not-quite-RFC-compliant kit. Yay Cisco. Why not join
us in 2006 and start using the proper standard? It's not even as if it'd
be hard to support both in parallel for a while.

Thanks to Eric Barkie for the initial diagnosis.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/dtls.c b/dtls.c
index cff6ef3..f14a075 100644 (file)
--- a/dtls.c
+++ b/dtls.c
@@ -272,6 +272,14 @@ int dtls_try_handshake(struct openconnect_info *vpninfo)
 
                vpninfo->dtls_times.last_rx = vpninfo->dtls_times.last_tx = time(NULL);
 
+               /* From about 8.4.1(11) onwards, the ASA seems to get
+                  very unhappy if we send it ChangeCipherSpec messages
+                  after the initial setup. Disable the retransmit timer;
+                  the Cisco client doesn't seem to do it at all, and
+                  DPD would help us notice if the original does go AWOL
+                  and hence the server can't decrypt any data packets. */
+               dtls1_stop_timer(vpninfo->dtls_ssl);
+
                return 0;
        }
 

diff --git a/openconnect.html b/openconnect.html
index 8ef1e4a..fc13f9c 100644 (file)
--- a/openconnect.html
+++ b/openconnect.html
@@ -183,6 +183,7 @@ For full changelog entries including the latest development, see
 <UL>
   <LI><B>OpenConnect HEAD</B><BR>
      <UL>
+       <LI>Fix DTLS compatibility with ASA firmware 8.4.11(11) and above.</LI>
        <LI>Fix build failures on GNU Hurd, on systems with ancient OpenSSL,
         and on Debian.</LI>
      </UL><BR>
@@ -497,6 +498,6 @@ An <TT>openconnect</TT> <A HREF="http://www.freebsd.org/cgi/cvsweb.cgi/ports/sec
 <hr>
 <address>David Woodhouse &lt;<A HREF="mailto:dwmw2@infradead.org">dwmw2@infradead.org</A>&gt;</address>
 <!-- hhmts start -->
-Last modified: Wed Jul 20 17:36:36 PDT 2011
+Last modified: Thu Sep  8 14:06:19 BST 2011
 <!-- hhmts end -->
 </body> </html>