[Openvpn-devel] openssl 1.1 tls version support

Message ID	80e6b449-c536-dc87-7215-3693872bce5a@birkenwald.de
State	Changes Requested
Delegated to:	Steffan Karger
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> From: Bernhard Schmidt <berni@birkenwald.de> To: openvpn-devel@lists.sourceforge.net Message-ID: <80e6b449-c536-dc87-7215-3693872bce5a@birkenwald.de> Date: Wed, 4 Oct 2017 16:38:39 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------483169EBD63CDC5D6C20314F" Content-Language: de-LU Subject: [Openvpn-devel] [PATCH] openssl 1.1 tls version support Precedence: list Cc: Kurt Roeckx <kurt@roeckx.be> Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	[Openvpn-devel] openssl 1.1 tls version support \| expand [Openvpn-devel] openssl 1.1 tls version support

Message ID

80e6b449-c536-dc87-7215-3693872bce5a@birkenwald.de

State

Changes Requested

Delegated to:

Steffan Karger

Headers

From: Bernhard Schmidt <berni@birkenwald.de>
To: openvpn-devel@lists.sourceforge.net
Message-ID: <80e6b449-c536-dc87-7215-3693872bce5a@birkenwald.de>
Date: Wed, 4 Oct 2017 16:38:39 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.3.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------483169EBD63CDC5D6C20314F"
Content-Language: de-LU
Subject: [Openvpn-devel] [PATCH] openssl 1.1 tls version support
Precedence: list
Cc: Kurt Roeckx <kurt@roeckx.be>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

[Openvpn-devel] openssl 1.1 tls version support | expand

Commit Message

Bernhard Schmidt Oct. 4, 2017, 3:38 a.m. UTC

Hi,

in https://bugs.debian.org/873302 Kurt Roeckx (Debian OpenSSL
maintainer) submitted a patch for OpenVPN to properly set  the minimum
and maximum TLS version. On Debian Buster (current development) OpenSSL
1.1 defaults to TLSv1.2+ only.

I'm unwilling to carry crypto specific patches in Debian. Can anyone
make some sense out of this and apply the patch if possible?

Please keep Kurt CCed and direct any questions to him.

Bernhard
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Comments

Steffan Karger Oct. 5, 2017, 2:49 a.m. UTC | #1

Hi,

Thanks for taking this to the openvpn-devel list.

The proposed patch doesn't follow our approach of hiding the openssl
1.0/1.1 API compatibility mess inside openssl_compat.h, so we'll have to
rework it before including it.  I will pick this up some time soon, but
have very limited access to internet (nor time to hack on openvpn)
currently, so it might take me a few weeks.  But there won't be a
release before that time anyway, and in the mean time users that are
really caught by this can put "@SECLEVEL=1" inside their --tls-cipher to
work around this if I understand the docs correctly [0].

@Kurt: for future reference, how are we supposed to be aware of these
kind of deprecated functions, and how do we know what The New Right Way
is?  https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes for
example does not mention this at all.

-Steffan

[0]
https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html

On 04-10-17 16:38, Bernhard Schmidt wrote:
> Hi,
> 
> in https://bugs.debian.org/873302 Kurt Roeckx (Debian OpenSSL
> maintainer) submitted a patch for OpenVPN to properly set  the minimum
> and maximum TLS version. On Debian Buster (current development) OpenSSL
> 1.1 defaults to TLSv1.2+ only.
> 
> I'm unwilling to carry crypto specific patches in Debian. Can anyone
> make some sense out of this and apply the patch if possible?
> 
> Please keep Kurt CCed and direct any questions to him.
> 
> Bernhard
> 
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> 
> 
> 
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

--- src/openvpn/ssl_openssl.c.bak	2017-08-26 13:10:40.333428825 +0200
+++ src/openvpn/ssl_openssl.c	2017-08-26 13:12:05.143672978 +0200
@@ -215,6 +215,19 @@ 
 #endif
 }
 
+/* convert internal version number to openssl version number */
+static int
+openssl_tls_version(int ver)
+{
+    if (ver == TLS_VER_1_0)
+        return TLS1_VERSION;
+    else if (ver == TLS_VER_1_1)
+        return TLS1_1_VERSION;
+    else if (ver == TLS_VER_1_2)
+        return TLS1_2_VERSION;
+    return 0;
+}
+
 void
 tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
 {
@@ -232,6 +245,17 @@ 
 
         tls_ver_max =
             (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+        if (tls_ver_min <= TLS_VER_UNSPEC)
+        {
+            SSL_CTX_set_min_proto_version(ctx->ctx, openssl_tls_version(tls_ver_min));
+        }
+        if (tls_ver_max <= TLS_VER_UNSPEC)
+        {
+            SSL_CTX_set_max_proto_version(ctx->ctx, openssl_tls_version(tls_ver_max));
+        }
+#else /* OPENSSL_VERSION_NUMBER >= 0x10100000*/
         if (tls_ver_max <= TLS_VER_UNSPEC)
         {
             tls_ver_max = tls_version_max();
@@ -253,6 +277,7 @@ 
             sslopt |= SSL_OP_NO_TLSv1_2;
         }
 #endif
+#endif /* OPENSSL_VERSION_NUMBER */
 #ifdef SSL_OP_NO_COMPRESSION
         /* Disable compression - flag not available in OpenSSL 0.9.8 */
         sslopt |= SSL_OP_NO_COMPRESSION;

[Openvpn-devel] openssl 1.1 tls version support

Commit Message

Comments

Patch