Ah, you've hit upon a slew of odd behaviors which only got fully fixed on
the master branch.
As a server, yes. Mismatching resumed and negotiated version isn't
interoperable with any client out there. This was fixed in 1.0.2 I believe
with:
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=9e189b9dc10786c755919e6792e923c584c918a1
A server must first do version negotiation and then, if the version does
not match the offered session, decline to resume a session and negotiate a
full handshake.

As a client, no. This was the old behavior and causes all kinds of
problems. It should not be restored. See the discussions here:
https://github.com/openssl/openssl/pull/603
https://github.com/tlswg/tls13-spec/issues/136
If configured to offer, say, a TLS 1.1 session while the maximum version is
TLS 1.2, offer the session BUT advertise a maximum version of TLS 1.2. If
the server accepts the session, treat it as a fatal error if the session's
version does not match the negotiated version.

Anything else will cause tons of interoperability problems or weird
behaviors.

(Although 1.0 through 1.2 are more-or-less the same protocol, assuming that
"sessions" are somehow analogous across protocol versions is a bad idea.
Say you tried a resume a 1.2 AES-GCM session at 1.1. Also 1.3 resumption is
completely different from 1.2 resumption and definitely should not be
mixed.)
(I'm not familiar with DTLS1_BAD_VER, but if it's a different protocol
version, it sounds like you should configure it like other versions and not
mess with session resumption bugs.)

David

Thanks for the comprehensive response. I'm not going to touch that with
a barge-pole then.
It's a different protocol version, and the *only* way it ever gets used
in the modern world is with a session resume (because that's how
Cisco's AnyConnect VPN works). Hence the thought process was that if
the session resume would *force* the protocol version (which you now
told me it shouldn't, for the client), then I wouldn't *need* any other
method of specifying it.

In RT#3711 we had previously talked about the option of enabling full
support via something like DTLSv0_9_client_method(), and it had been
decided not to — on the basis that the existing SSL_OP_CISCO_ANYCONNECT
hack was sufficient.

That's less true now with the generic DTLS_client_method() and
DTLS_ANY_VERSION, because the SSL_OP_CISCO_ANYCONNECT hack needs to be
propagated into a lot more places and it actually ends up being
*cleaner* to implement it "properly" AFAICT.

I've updated my submission in PR#1296 accordingly; thanks for the
feedback.

https://github.com/openssl/openssl/pull/1296