[GIT PULL V4] JNI bindings for libopenconnect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jan 21, 2014 at 9:54 AM, Woodhouse, David
<david.woodhouse at intel.com> wrote:
>> I was toying with the idea of just closing the DTLS connection any
>> time the CSTP connection is closed, under the assumption that the DTLS
>> parameters are likely to get changed upon CSTP reconnection.  Would
>> that make sense?
>
> In my testing against Cisco servers, the DTLS parameters *weren't*
> changing.

At the very minimum I'd worry about this case:

    /* Create (new) random master key for DTLS connection, if needed */
    if (vpninfo->dtls_times.last_rekey + vpninfo->dtls_times.rekey <
        time(NULL) + 300 &&
        openconnect_random(vpninfo->dtls_secret,
sizeof(vpninfo->dtls_secret))) {
        vpn_progress(vpninfo, PRG_ERR,
                 _("Failed to initialise DTLS secret\n"));
        return -EIO;
    }


On a server whose dtls_times.rekey == 0 and dtls_times.dpd == 0, DTLS
loses sync and never recovers.

Are you getting the same X-DTLS-Session-ID every time you reconnect?
On my ASA I see different IDs; on ocserv I see the same ID.



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux