From patchwork Tue Oct 19 07:23:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2001 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id GGT4NWYNb2GXLwAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:24:38 -0400 Received: from proxy1.mail.ord1c.rsapps.net ([172.28.255.1]) by director14.mail.ord1d.rsapps.net with LMTP id aBi9NWYNb2FpAQAAeJ7fFg (envelope-from ) for ; Tue, 19 Oct 2021 14:24:38 -0400 Received: from smtp23.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.ord1c.rsapps.net with LMTPS id sCtLGmYNb2G6QQAA2VeTtA (envelope-from ) for ; Tue, 19 Oct 2021 14:24:38 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: d162e87e-3109-11ec-91e7-b8ca3a678528-1-1 Received: from [216.105.38.7] ([216.105.38.7:33498] helo=lists.sourceforge.net) by smtp23.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 45/53-01526-66D0F616; Tue, 19 Oct 2021 14:24:38 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mctmE-0000qe-9k; Tue, 19 Oct 2021 18:23:54 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mctmC-0000pp-H6 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:23:52 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=uUrrXID36UnmYpghOfx/+XaCTWxs6K7NW92ktDrk0DY=; b=eGgS4C38Qoudl0Os1hGGezFQCf ue35cv+h6VHScIqaPOUmLwXvjrzNpHXEJBxxvvaLwHIAx2yslVXvtpEQK2RCbSL5iNPYCY+kmWYug GMb91KX/oY4UqOqZxMXWoWYIcskHjRTF/NG3HUQSmQ+9QlGi4h6xOKLcCdkRNcx0UH+E=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=uUrrXID36UnmYpghOfx/+XaCTWxs6K7NW92ktDrk0DY=; b=QYTX/rGaPHqMXZYpJEJHtTHvhX W0c+kM2rEcqn6x7GBpVfxCrTVHgFH2Ge6nFUsIzWghiJ8/mD755UGQQR6wLAlNr2aSgG5ogH1ZOmy Sf/fBiTg/JIcLJwWX4MqUs14a1/JM067IqKxLT6U5jdMtRTDUxum05KVbM2PG5haWcEA=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mctm1-0005Ze-DA for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:23:52 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mctlu-0008bS-Bm for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:23:34 +0200 Received: (nullmailer pid 613271 invoked by uid 10006); Tue, 19 Oct 2021 18:23:34 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:23:27 +0200 Message-Id: <20211019182332.613155-23-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019182332.613155-1-arne@rfc2549.org> References: <20211019182332.613155-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary to reallow them in certain deployments. Currently this works by using the hack of using tls-cipher "DEFAULT:@SECLEVEL=0". [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mctm1-0005Ze-DA Subject: [Openvpn-devel] [PATCH v2 16/16] Add insecure tls-cert-profile options X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary to reallow them in certain deployments. Currently this works by using the hack of using tls-cipher "DEFAULT:@SECLEVEL=0". Add insecure as option to tls-cert-profile to allow setting a seclevel of 0. Signed-off-by: Arne Schwabe --- doc/man-sections/tls-options.rst | 6 ++++++ src/openvpn/ssl_mbedtls.c | 3 ++- src/openvpn/ssl_openssl.c | 6 +++++- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index eaf38395d..ac5756034 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -373,6 +373,9 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa The following profiles are supported: + :code:`insecure` + Identical for mbed TLS to `legacy` + :code:`legacy` (default) SHA1 and newer, RSA 2048-bit+, any elliptic curve. @@ -385,6 +388,9 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa This option is only fully supported for mbed TLS builds. OpenSSL builds use the following approximation: + :code:`insecure` + sets "security level 0" + :code:`legacy` (default) sets "security level 1" diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index e7c45c099..acf4993fd 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -336,7 +336,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { - if (!profile || 0 == strcmp(profile, "legacy")) + if (!profile || 0 == strcmp(profile, "legacy") + || 0 == strcmp(profile, "insecure")) { ctx->cert_profile = openvpn_x509_crt_profile_legacy; } diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index d93292700..b29765daf 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -532,7 +532,11 @@ tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) * callbacks that we could try to implement to achieve something similar. * For now, use OpenSSL's security levels to achieve similar (but not equal) * behaviour. */ - if (!profile || 0 == strcmp(profile, "legacy")) + if (!profile || 0 == strcmp(profile, "insecure")) + { + SSL_CTX_set_security_level(ctx->ctx, 0); + } + else if (!profile || 0 == strcmp(profile, "legacy")) { SSL_CTX_set_security_level(ctx->ctx, 1); }