Message ID | 80e6b449-c536-dc87-7215-3693872bce5a@birkenwald.de |
---|---|
State | Changes Requested |
Delegated to: | Steffan Karger |
Headers | show |
Series | [Openvpn-devel] openssl 1.1 tls version support | expand |
Hi, Thanks for taking this to the openvpn-devel list. The proposed patch doesn't follow our approach of hiding the openssl 1.0/1.1 API compatibility mess inside openssl_compat.h, so we'll have to rework it before including it. I will pick this up some time soon, but have very limited access to internet (nor time to hack on openvpn) currently, so it might take me a few weeks. But there won't be a release before that time anyway, and in the mean time users that are really caught by this can put "@SECLEVEL=1" inside their --tls-cipher to work around this if I understand the docs correctly [0]. @Kurt: for future reference, how are we supposed to be aware of these kind of deprecated functions, and how do we know what The New Right Way is? https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes for example does not mention this at all. -Steffan [0] https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html On 04-10-17 16:38, Bernhard Schmidt wrote: > Hi, > > in https://bugs.debian.org/873302 Kurt Roeckx (Debian OpenSSL > maintainer) submitted a patch for OpenVPN to properly set the minimum > and maximum TLS version. On Debian Buster (current development) OpenSSL > 1.1 defaults to TLSv1.2+ only. > > I'm unwilling to carry crypto specific patches in Debian. Can anyone > make some sense out of this and apply the patch if possible? > > Please keep Kurt CCed and direct any questions to him. > > Bernhard > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
--- src/openvpn/ssl_openssl.c.bak 2017-08-26 13:10:40.333428825 +0200 +++ src/openvpn/ssl_openssl.c 2017-08-26 13:12:05.143672978 +0200 @@ -215,6 +215,19 @@ #endif } +/* convert internal version number to openssl version number */ +static int +openssl_tls_version(int ver) +{ + if (ver == TLS_VER_1_0) + return TLS1_VERSION; + else if (ver == TLS_VER_1_1) + return TLS1_1_VERSION; + else if (ver == TLS_VER_1_2) + return TLS1_2_VERSION; + return 0; +} + void tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) { @@ -232,6 +245,17 @@ tls_ver_max = (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK; + +#if OPENSSL_VERSION_NUMBER >= 0x10100000 + if (tls_ver_min <= TLS_VER_UNSPEC) + { + SSL_CTX_set_min_proto_version(ctx->ctx, openssl_tls_version(tls_ver_min)); + } + if (tls_ver_max <= TLS_VER_UNSPEC) + { + SSL_CTX_set_max_proto_version(ctx->ctx, openssl_tls_version(tls_ver_max)); + } +#else /* OPENSSL_VERSION_NUMBER >= 0x10100000*/ if (tls_ver_max <= TLS_VER_UNSPEC) { tls_ver_max = tls_version_max(); @@ -253,6 +277,7 @@ sslopt |= SSL_OP_NO_TLSv1_2; } #endif +#endif /* OPENSSL_VERSION_NUMBER */ #ifdef SSL_OP_NO_COMPRESSION /* Disable compression - flag not available in OpenSSL 0.9.8 */ sslopt |= SSL_OP_NO_COMPRESSION;