On Sun, Feb 16, 2014 at 11:12 PM, Kevin Cernekee <cernekee at gmail.com> wrote: > You guys might want to hold off on "Rework DTLS master secret > (re)generation" depending on what Nikos' rekeying changes wind up looking > like? I have completed the changes in the rekey branch. In that branch openconnect behaves: 1a. On anyconnect servers that send "X-CSTP-Rekey-Method: new-tunnel" The same as anyconnect clients. On rekey time when CSTP reconnects, the DTLS reconnects as well. 1b. On anyconnect servers that send "X-CSTP-Rekey-Method: ssl" The same as anyconnect clients. On rekey time when CSTP rehandshakes, DTLS reconnects. 2. On ocserv (that sends "X-CSTP-Rekey-Method: ssl" and "X-DTLS-Rekey-Method: ssl") On CSTP rekey time CSTP rehandshakes, and on DTLS rekey time DTLS rehandshakes. I have tested all the above cases (but with ocserv). regards, Nikos
