If "dtls-legacy = false" then we fail to setup DTLS connection
My team is trying to setup a locked down ocserv instance, with as much disabled as possible.
When we have the settings: match-tls-dtls-ciphers = True dtls-legacy = False dtls_psk = True
Then the server never sends any X-DTLS-* headers to the client and the client fails to establish DTLS connection.
The root cause appears to be as follows: In connect_handler:
ws->udp_state = UP_DISABLED;
if (WSPCONFIG(ws)->udp_port != 0 && req->master_secret_set != 0) {
memcpy(ws->master_secret, req->master_secret, TLS_MASTER_SIZE);
ws->udp_state = UP_WAIT_FD;
} else {
oclog(ws, LOG_DEBUG, "disabling UDP (DTLS) connection");
}
Which is normally set in header_value_check:
case HEADER_DTLS_CIPHERSUITE:
if (req->use_psk || !WSCONFIG(ws)->dtls_legacy)
break;
str = (char *)value;
p = strstr(str, DTLS_PROTO_INDICATOR);
if (p != NULL && (p[sizeof(DTLS_PROTO_INDICATOR)-1] == 0 || p[sizeof(DTLS_PROTO_INDICATOR)-1] == ':')) {
/* OpenConnect DTLS setup was detected. */
if (WSCONFIG(ws)->dtls_psk) {
req->use_psk = 1;
req->master_secret_set = 1; /* we don't need it */
req->selected_ciphersuite = NULL;
break;
}
}
The issue appears to be that if !WSCONFIG(ws)->dtls_legacy is true, then we never set req->master_secret_set and so we never send the X-DTLS-* headers.
Am I missing something here?