Index: d1_clnt.c
===================================================================
RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/d1_clnt.c,v
retrieving revision 1.3.2.9
diff -u -p -r1.3.2.9 d1_clnt.c
--- d1_clnt.c	30 Sep 2007 19:36:32 -0000	1.3.2.9
+++ d1_clnt.c	30 Sep 2008 08:57:33 -0000
@@ -647,6 +647,7 @@ static int dtls1_get_hello_verify(SSL *s
 	int n, al, ok = 0;
 	unsigned char *data;
 	unsigned int cookie_len;
+	unsigned short version = s->version;
 
 	n=s->method->ssl_get_message(s,
 		DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
@@ -666,7 +667,10 @@ static int dtls1_get_hello_verify(SSL *s
 
 	data = (unsigned char *)s->init_msg;
 
-	if ((data[0] != (s->version>>8)) || (data[1] != (s->version&0xff)))
+	if (s->options & SSL_OP_CISCO_ANYCONNECT)
+		version = DTLS1_BAD_VER;
+
+	if ((data[0] != (version>>8)) || (data[1] != (version&0xff)))
 		{
 		SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY,SSL_R_WRONG_SSL_VERSION);
 		s->version=(s->version&0xff00)|data[1];
Index: d1_lib.c
===================================================================
RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/d1_lib.c,v
retrieving revision 1.1.2.5
diff -u -p -r1.1.2.5 d1_lib.c
--- d1_lib.c	5 Oct 2007 21:05:27 -0000	1.1.2.5
+++ d1_lib.c	30 Sep 2008 09:06:08 -0000
@@ -187,6 +187,8 @@ void dtls1_clear(SSL *s)
 	{
 	ssl3_clear(s);
 	s->version=DTLS1_VERSION;
+	if (s->options & SSL_OP_CISCO_ANYCONNECT)
+		s->client_version = DTLS1_BAD_VER;
 	}
 
 /*
Index: d1_pkt.c
===================================================================
RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/d1_pkt.c,v
retrieving revision 1.4.2.9.2.1
diff -u -p -r1.4.2.9.2.1 d1_pkt.c
--- d1_pkt.c	19 Oct 2007 07:39:53 -0000	1.4.2.9.2.1
+++ d1_pkt.c	30 Sep 2008 08:46:28 -0000
@@ -978,15 +978,18 @@ start:
 	if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
 		{
 		struct ccs_header_st ccs_hdr;
+		int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
 
 		dtls1_get_ccs_header(rr->data, &ccs_hdr);
 
 		/* 'Change Cipher Spec' is just a single byte, so we know
 		 * exactly what the record payload has to look like */
 		/* XDTLS: check that epoch is consistent */
-		if (	(s->client_version == DTLS1_BAD_VER && rr->length != 3) ||
-			(s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) || 
-			(rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
+		if (s->client_version == DTLS1_BAD_VER || 
+		    (s->options & SSL_OP_CISCO_ANYCONNECT))
+			ccs_hdr_len = 3;
+
+		if ((rr->length != ccs_hdr_len) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
 			{
 			i=SSL_AD_ILLEGAL_PARAMETER;
 			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
@@ -1337,7 +1340,8 @@ int do_dtls1_write(SSL *s, int type, con
 	*(p++)=type&0xff;
 	wr->type=type;
 
-	if (s->client_version == DTLS1_BAD_VER)
+	if (s->client_version == DTLS1_BAD_VER ||
+	    (s->options & SSL_OP_CISCO_ANYCONNECT))
 		*(p++) = DTLS1_BAD_VER>>8,
 		*(p++) = DTLS1_BAD_VER&0xff;
 	else
Index: s3_clnt.c
===================================================================
RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/s3_clnt.c,v
retrieving revision 1.88.2.9
diff -u -p -r1.88.2.9 s3_clnt.c
--- s3_clnt.c	31 Aug 2007 00:28:51 -0000	1.88.2.9
+++ s3_clnt.c	30 Sep 2008 08:58:48 -0000
@@ -663,6 +663,7 @@ int ssl3_get_server_hello(SSL *s)
 	int i,al,ok;
 	unsigned int j;
 	long n;
+	unsigned short version = s->version;
 #ifndef OPENSSL_NO_COMP
 	SSL_COMP *comp;
 #endif
@@ -703,7 +704,10 @@ int ssl3_get_server_hello(SSL *s)
 
 	d=p=(unsigned char *)s->init_msg;
 
-	if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
+	if (s->options & SSL_OP_CISCO_ANYCONNECT)
+		version = DTLS1_BAD_VER;
+
+	if ((p[0] != (version>>8)) || (p[1] != (version&0xff)))
 		{
 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
 		s->version=(s->version&0xff00)|p[1];
Index: ssl.h
===================================================================
RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/ssl.h,v
retrieving revision 1.161.2.14.2.1
diff -u -p -r1.161.2.14.2.1 ssl.h
--- ssl.h	19 Oct 2007 07:42:38 -0000	1.161.2.14.2.1
+++ ssl.h	30 Sep 2008 08:24:52 -0000
@@ -511,6 +511,8 @@ typedef struct ssl_session_st
 #define SSL_OP_COOKIE_EXCHANGE              0x00002000L
 /* Don't use RFC4507 ticket extension */
 #define SSL_OP_NO_TICKET	            0x00004000L
+/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client)  */
+#define SSL_OP_CISCO_ANYCONNECT		    0x00008000L
 
 /* As server, disallow session resumption on renegotiation */
 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION	0x00010000L
Index: t1_enc.c
===================================================================
RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/t1_enc.c,v
retrieving revision 1.35.2.4
diff -u -p -r1.35.2.4 t1_enc.c
--- t1_enc.c	9 Oct 2007 19:22:01 -0000	1.35.2.4
+++ t1_enc.c	30 Sep 2008 09:09:08 -0000
@@ -738,12 +738,18 @@ int tls1_mac(SSL *ssl, unsigned char *md
 	md_size=EVP_MD_size(hash);
 
 	buf[0]=rec->type;
-	if (ssl->version == DTLS1_VERSION && ssl->client_version == DTLS1_BAD_VER)
+	if (ssl->version == DTLS1_VERSION && (ssl->options & SSL_OP_CISCO_ANYCONNECT))
+		{
+		buf[1]=(unsigned char)(DTLS1_BAD_VER>>8);
+		buf[2]=(unsigned char)(DTLS1_BAD_VER);
+		}
+	else if (ssl->version == DTLS1_VERSION && ssl->client_version == DTLS1_BAD_VER)
 		{
 		buf[1]=TLS1_VERSION_MAJOR;
 		buf[2]=TLS1_VERSION_MINOR;
 		}
-	else	{
+	else 
+		{
 		buf[1]=(unsigned char)(ssl->version>>8);
 		buf[2]=(unsigned char)(ssl->version);
 		}
@@ -755,10 +761,11 @@ int tls1_mac(SSL *ssl, unsigned char *md
 	HMAC_CTX_init(&hmac);
 	HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
 
-	if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)
+	if ((ssl->version == DTLS1_VERSION && 
+	     ((ssl->client_version != DTLS1_BAD_VER) ||
+	      (ssl->options & SSL_OP_CISCO_ANYCONNECT))))
 		{
 		unsigned char dtlsseq[8],*p=dtlsseq;
-
 		s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
 		memcpy (p,&seq[2],6);