cstp: Always restart DTLS after a CSTP disconnect

cstp_reconnect() can get called on its own, e.g. due to a DPD timeout. Under some circumstances this can cause the DTLS parameters to be renegotiated. For instance, start_cstp_connection() sometimes sends a new master DTLS secret to the gateway. And Cisco ASAs seem to like generating new DTLS-Session-ID strings on each reconnect. If DTLS is not restarted, the client and server will get out of sync and will not be able to pass data traffic. The situation is exacerbated by certain gateway settings, like setting DPD=0 and disabling DTLS rekey, which may cause the connection to remain in a "living dead" state for extended periods of time. Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
cernekee · Feb 9, 2014 · a53877e · a53877e
1 parent ce55d92
commit a53877e
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 4 deletions.
diff --git a/gnutls.c b/gnutls.c
@@ -2009,6 +2009,8 @@ void openconnect_close_https(struct openconnect_info *vpninfo, int final)
 		FD_CLR(vpninfo->ssl_fd, &vpninfo->select_efds);
 		vpninfo->ssl_fd = -1;
 	}
+	dtls_close(vpninfo, 1);
+	vpninfo->new_dtls_started = 0;
 	if (final && vpninfo->https_cred) {
 		gnutls_certificate_free_credentials(vpninfo->https_cred);
 		vpninfo->https_cred = NULL;

diff --git a/library.c b/library.c
@@ -129,7 +129,6 @@ static void free_optlist(struct oc_vpn_option *opt)
 void openconnect_vpninfo_free(struct openconnect_info *vpninfo)
 {
 	openconnect_close_https(vpninfo, 1);
-	dtls_close(vpninfo, 1);
 	if (vpninfo->cmd_fd_write != -1) {
 		close(vpninfo->cmd_fd);
 		close(vpninfo->cmd_fd_write);

diff --git a/mainloop.c b/mainloop.c
@@ -112,9 +112,6 @@ int openconnect_mainloop(struct openconnect_info *vpninfo,
 			/* close all connections and wait for the user to call
 			   openconnect_mainloop() again */
 			openconnect_close_https(vpninfo, 0);
-			dtls_close(vpninfo, 1);
-			vpninfo->new_dtls_started = 0;
-
 			vpninfo->got_pause_cmd = 0;
 			vpn_progress(vpninfo, PRG_INFO, _("Caller paused the connection\n"));
 			return 0;

diff --git a/openssl.c b/openssl.c
@@ -1430,6 +1430,8 @@ void openconnect_close_https(struct openconnect_info *vpninfo, int final)
 		FD_CLR(vpninfo->ssl_fd, &vpninfo->select_efds);
 		vpninfo->ssl_fd = -1;
 	}
+	dtls_close(vpninfo, 1);
+	vpninfo->new_dtls_started = 0;
 	if (final) {
 		if (vpninfo->https_ctx) {
 			SSL_CTX_free(vpninfo->https_ctx);