[Openvpn-devel,v4] Add insecure tls-cert-profile options
Commit Message
The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary
to reallow them in certain deployments. Currently this works by using the
hack of using tls-cipher "DEFAULT:@SECLEVEL=0". Add insecure as option to
tls-cert-profile to allow setting a seclevel of 0.
Patch v4: fix default accidentially changed to insecure
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
doc/man-sections/tls-options.rst | 6 ++++++
src/openvpn/ssl_mbedtls.c | 3 ++-
src/openvpn/ssl_openssl.c | 4 ++++
3 files changed, 12 insertions(+), 1 deletion(-)
Comments
On 29/10/2021 13:24, Arne Schwabe wrote:
> The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary
> to reallow them in certain deployments. Currently this works by using the
> hack of using tls-cipher "DEFAULT:@SECLEVEL=0". Add insecure as option to
> tls-cert-profile to allow setting a seclevel of 0.
>
> Patch v4: fix default accidentially changed to insecure
>
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
With OpenSSL 3, OpenVPN accepts certs signed with SHA1 if and only if
"--tls-cert-profile insecure" is used.
(Client-side) tested with 1.1.1 and 3.0.0.
Without options, my sha1 certificates still fail for the 3.0.0 build,
and *with* "tls-cert-profile insecure" it works.
Your patch has been applied to the master branch.
commit 23efeb7a0bd9e0a6d997ae6e77e0e04170da3e67
Author: Arne Schwabe
Date: Fri Oct 29 13:24:07 2021 +0200
Add insecure tls-cert-profile options
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211029112407.2004234-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23076.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
kind regards,
Gert Doering
Hi,
On Fri, Nov 05, 2021 at 05:03:21PM +0100, Gert Doering wrote:
> (Client-side) tested with 1.1.1 and 3.0.0.
>
> Without options, my sha1 certificates still fail for the 3.0.0 build,
> and *with* "tls-cert-profile insecure" it works.
>
> Your patch has been applied to the master branch.
>
> commit 23efeb7a0bd9e0a6d997ae6e77e0e04170da3e67
> Author: Arne Schwabe
> Date: Fri Oct 29 13:24:07 2021 +0200
>
> Add insecure tls-cert-profile options
Based on the discussion on IRC (just now) I have applied this to 2.5
as well - Ubuntu 22.04 builds with OpenSSL 3.0.x, and without that patch,
existing user setups with sha1 certs will break and no option to work
around that.
commit 7b1b100557608db8a311d06f7578ceb7c4d33aa6 (HEAD -> release/2.5)
Author: Arne Schwabe <arne@rfc2549.org>
Date: Fri Oct 29 13:24:07 2021 +0200
Add insecure tls-cert-profile options
(cherry picked from commit 23efeb7a0bd9e0a6d997ae6e77e0e04170da3e67)
gert
@@ -373,6 +373,9 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa
The following profiles are supported:
+ :code:`insecure`
+ Identical for mbed TLS to `legacy`
+
:code:`legacy` (default)
SHA1 and newer, RSA 2048-bit+, any elliptic curve.
@@ -385,6 +388,9 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa
This option is only fully supported for mbed TLS builds. OpenSSL builds
use the following approximation:
+ :code:`insecure`
+ sets "security level 0"
+
:code:`legacy` (default)
sets "security level 1"
@@ -336,7 +336,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
void
tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
{
- if (!profile || 0 == strcmp(profile, "legacy"))
+ if (!profile || 0 == strcmp(profile, "legacy")
+ || 0 == strcmp(profile, "insecure"))
{
ctx->cert_profile = openvpn_x509_crt_profile_legacy;
}
@@ -536,6 +536,10 @@ tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
{
SSL_CTX_set_security_level(ctx->ctx, 1);
}
+ else if (0 == strcmp(profile, "insecure"))
+ {
+ SSL_CTX_set_security_level(ctx->ctx, 0);
+ }
else if (0 == strcmp(profile, "preferred"))
{
SSL_CTX_set_security_level(ctx->ctx, 2);