| Message ID | 20171126141555.25930-2-steffan@karger.me |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [Openvpn-devel,1/3] Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+ | expand |
Acked-by: Gert Doering <gert@greenie.muc.de> Straightforward extention of the current code to add another branch for 1.3. Since it's really trivial, does not change existing code paths, and we want 2.4 to be "ready for TLS 1.3 when it shows up", applied to 2.4 as well. Your patch has been applied to the master and release/2.4 branch. commit 8ca9eda119638a88863118affd69dfaf8b867c92 (master) commit 59dbb8602f30d278bd152a4a736c2af8345368eb (release/2.4) Author: Steffan Karger Date: Sun Nov 26 15:15:54 2017 +0100 Add support for TLS 1.3 in --tls-version-{min, max} Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20171126141555.25930-2-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15932.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 843bc393..d61688c5 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -530,6 +530,10 @@ tls_version_parse(const char *vstr, const char *extra) { return TLS_VER_1_2; } + else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version) + { + return TLS_VER_1_3; + } else if (extra && !strcmp(extra, "or-highest")) { return max_version; diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index f588110c..7f6057e6 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -114,6 +114,7 @@ void tls_clear_error(void); #define TLS_VER_1_0 1 #define TLS_VER_1_1 2 #define TLS_VER_1_2 3 +#define TLS_VER_1_3 4 int tls_version_parse(const char *vstr, const char *extra); /** diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index b645b469..18c0ba5f 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -206,7 +206,9 @@ info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret) int tls_version_max(void) { -#if defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2) +#if defined(TLS1_3_VERSION) + return TLS_VER_1_3; +#elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2) return TLS_VER_1_2; #elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1) return TLS_VER_1_1; @@ -231,6 +233,12 @@ openssl_tls_version(int ver) { return TLS1_2_VERSION; } +#if defined(TLS1_3_VERSION) + else if (ver == TLS_VER_1_3) + { + return TLS1_3_VERSION; + } +#endif return 0; }
Tested with the current openssl master branch for TLS 1.3 support. mbed TLS has no public builds with TLS 1.3 support yet, so nothing to do there right now. Signed-off-by: Steffan Karger <steffan@karger.me> --- src/openvpn/ssl.c | 4 ++++ src/openvpn/ssl_backend.h | 1 + src/openvpn/ssl_openssl.c | 10 +++++++++- 3 files changed, 14 insertions(+), 1 deletion(-)