From patchwork Wed Jun 23 08:37:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1868 X-Patchwork-Delegate: gert@greenie.muc.de Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id IHIEKNh/02A1EgAAIUCqbw (envelope-from ) for ; Wed, 23 Jun 2021 14:39:20 -0400 Received: from proxy4.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id AIXfJ9h/02BoSQAApN4f7A (envelope-from ) for ; Wed, 23 Jun 2021 14:39:20 -0400 Received: from smtp23.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1d.rsapps.net with LMTPS id oOx9J9h/02CTSQAAiYrejw (envelope-from ) for ; Wed, 23 Jun 2021 14:39:20 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 5155ee38-d452-11eb-9ff4-b8ca3a678528-1-1 Received: from [216.105.38.7] ([216.105.38.7:57234] helo=lists.sourceforge.net) by smtp23.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D0/2C-05550-6DF73D06; Wed, 23 Jun 2021 14:39:19 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1lw7kx-0002EM-U0; Wed, 23 Jun 2021 18:37:47 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1lw7kv-0002ED-A4 for openvpn-devel@lists.sourceforge.net; Wed, 23 Jun 2021 18:37:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=IWax+mz3EJ/+FfRxv9onK7zv6DQyuilZ6Lm8l0dFUR4=; b=erzJMSque1r34g8CLb4DAl7+Jb xazJ27Bzn4R+HlLpqjp7V68ViIuSQcmWFC3K4eu/uPGsnIvFyUJ6hk+ILh7ChjXm8ryeZxNkP861/ EbLK7ZYQ0e/HPRSEUkM3CljKtzeoXJ2JVLym7jaWQ85KsIb9Vnyzh9x+SSX3Fm4Py/b0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=IWax+mz3EJ/+FfRxv9onK7zv6DQyuilZ6Lm8l0dFUR4=; b=U 9YuuyVvGQgGERJml/HA9GncY3KlF3fal/uTv9vPmCvA77JxMx5BTjg2REjIgTusrjIHeJXIpNhhIo XLJ9Vphy5TILp1tvin/H5b3t2RSv2ophnk8lHeoemEzf/pZq56Z5XEAtXL/7B9c7RG6P/yBmGbRbn hgik5lW3y/3eNgr0=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lw7kq-0004Uk-K3 for openvpn-devel@lists.sourceforge.net; Wed, 23 Jun 2021 18:37:45 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1lw7ke-000HQc-Bt for openvpn-devel@lists.sourceforge.net; Wed, 23 Jun 2021 20:37:28 +0200 Received: (nullmailer pid 2565332 invoked by uid 10006); Wed, 23 Jun 2021 18:37:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 23 Jun 2021 20:37:28 +0200 Message-Id: <20210623183728.2565286-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lw7kq-0004Uk-K3 Subject: [Openvpn-devel] [PATCH] Fix tls-cert-profile broken on OpenSSL 1.1+ X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Commit bc36d9d569 removed the autoconf detection of various OpenSSL functions. This overlooked HAVE_SSL_CTX_SET_SECURITY_LEVEL check in tls_ctx_set_cert_profile. Replace this also with a version number based check. Tested with LibreSSL on OpenBSD 6.8, OpenSSL 1.1 and wolfSSL. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/ssl_openssl.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 3120c51a8..45a14218e 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -523,7 +523,7 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers) void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { -#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL +#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL does not have certificate profiles, but a complex set of * callbacks that we could try to implement to achieve something similar. * For now, use OpenSSL's security levels to achieve similar (but not equal) @@ -545,13 +545,13 @@ tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { msg(M_FATAL, "ERROR: Invalid cert profile: %s", profile); } -#else /* ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL */ +#else /* if OPENSSL_VERSION_NUMBER > 0x10100000L */ if (profile) { - msg(M_WARN, "WARNING: OpenSSL 1.0.2 does not support --tls-cert-profile" - ", ignoring user-set profile: '%s'", profile); + msg(M_WARN, "WARNING: OpenSSL 1.0.2 and LibreSSL do not support " + "--tls-cert-profile, ignoring user-set profile: '%s'", profile); } -#endif /* ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL */ +#endif /* if OPENSSL_VERSION_NUMBER > 0x10100000L */ } void