File tree Expand file tree Collapse file tree 2 files changed +1
-17
lines changed Expand file tree Collapse file tree 2 files changed +1
-17
lines changed Original file line number Diff line number Diff line change
1
+ Remove workaround for OpenSSL 1.1.1 DTLS ClientHello bug.
Original file line number Diff line number Diff line change @@ -734,23 +734,6 @@ async def handle_client_hello_untrusted(
734
734
# after all.
735
735
return
736
736
737
- # Some old versions of OpenSSL have a bug with memory BIOs, where DTLSv1_listen
738
- # consumes the ClientHello out of the BIO, but then do_handshake expects the
739
- # ClientHello to still be in there (but not the one that ships with Ubuntu
740
- # 20.04). In particular, this is known to affect the OpenSSL v1.1.1 that ships
741
- # with Ubuntu 18.04. To work around this, we deliver a second copy of the
742
- # ClientHello after DTLSv1_listen has completed. This is safe to do
743
- # unconditionally, because on newer versions of OpenSSL, the second ClientHello
744
- # is treated as a duplicate packet, which is a normal thing that can happen over
745
- # UDP. For more details, see:
746
- #
747
- # https://github.com/pyca/pyopenssl/blob/e84e7b57d1838de70ab7a27089fbee78ce0d2106/tests/test_ssl.py#L4226-L4293
748
- #
749
- # This was fixed in v1.1.1a, and all later versions. So maybe in 2024 or so we
750
- # can delete this. The fix landed in OpenSSL master as 079ef6bd534d2, and then
751
- # was backported to the 1.1.1 branch as d1bfd8076e28.
752
- stream ._ssl .bio_write (packet )
753
-
754
737
# Check if we have an existing association
755
738
old_stream = endpoint ._streams .get (address )
756
739
if old_stream is not None :
You can’t perform that action at this time.
0 commit comments