[Openvpn-devel,v2,19/20] Add insecure tls-cert-profile options

Message ID 20211019182332.613155-27-arne@rfc2549.org
State Superseded
Headers show
Series
  • OpenSSL 3.0 improvements for OpenVPN
Related show

Commit Message

Arne Schwabe Oct. 19, 2021, 6:23 p.m.
The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary
to reallow them in certain deployments. Currently this works by using the
hack of using tls-cipher "DEFAULT:@SECLEVEL=0". Add insecure as option to
tls-cert-profile to allow setting a seclevel of 0.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 doc/man-sections/tls-options.rst | 6 ++++++
 src/openvpn/ssl_mbedtls.c        | 3 ++-
 src/openvpn/ssl_openssl.c        | 6 +++++-
 3 files changed, 13 insertions(+), 2 deletions(-)

Patch

diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst
index eaf38395d..ac5756034 100644
--- a/doc/man-sections/tls-options.rst
+++ b/doc/man-sections/tls-options.rst
@@ -373,6 +373,9 @@  certificates and keys: https://github.com/OpenVPN/easy-rsa
 
   The following profiles are supported:
 
+  :code:`insecure`
+      Identical for mbed TLS to `legacy`
+
   :code:`legacy` (default)
       SHA1 and newer, RSA 2048-bit+, any elliptic curve.
 
@@ -385,6 +388,9 @@  certificates and keys: https://github.com/OpenVPN/easy-rsa
   This option is only fully supported for mbed TLS builds. OpenSSL builds
   use the following approximation:
 
+  :code:`insecure`
+      sets "security level 0"
+
   :code:`legacy` (default)
       sets "security level 1"
 
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index e7c45c099..acf4993fd 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -336,7 +336,8 @@  tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
 void
 tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
 {
-    if (!profile || 0 == strcmp(profile, "legacy"))
+    if (!profile || 0 == strcmp(profile, "legacy")
+        || 0 == strcmp(profile, "insecure"))
     {
         ctx->cert_profile = openvpn_x509_crt_profile_legacy;
     }
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index d93292700..b29765daf 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -532,7 +532,11 @@  tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
      * callbacks that we could try to implement to achieve something similar.
      * For now, use OpenSSL's security levels to achieve similar (but not equal)
      * behaviour. */
-    if (!profile || 0 == strcmp(profile, "legacy"))
+    if (!profile || 0 == strcmp(profile, "insecure"))
+    {
+        SSL_CTX_set_security_level(ctx->ctx, 0);
+    }
+    else if (!profile || 0 == strcmp(profile, "legacy"))
     {
         SSL_CTX_set_security_level(ctx->ctx, 1);
     }