From patchwork Tue Oct 19 07:31:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2024 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id OCN+NTEPb2GwQgAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:17 -0400 Received: from proxy19.mail.ord1d.rsapps.net ([172.30.191.6]) by director14.mail.ord1d.rsapps.net with LMTP id UApDNTEPb2FQAQAAeJ7fFg (envelope-from ) for ; Tue, 19 Oct 2021 14:32:17 -0400 Received: from smtp30.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.ord1d.rsapps.net with LMTPS id yC4QNTEPb2HLUwAAyH2SIw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:17 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp30.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e30cd2e6-310a-11ec-9dbf-5254001e8e38-1-1 Received: from [216.105.38.7] ([216.105.38.7:43748] helo=lists.sourceforge.net) by smtp30.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C6/8D-02332-13F0F616; Tue, 19 Oct 2021 14:32:17 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mcttj-0001aa-2O; Tue, 19 Oct 2021 18:31:39 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mcttf-0001ZN-4H for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=oxkbFxObRCJ64zbY0+LqDB4if1yTrgQPE3WYum1oQac=; b=KtBMm9U+oXtJXTjUeKOxE+sn2V o8sTRbh5ITVj6r5JR8BJ8FVy4V19+mxBdG6RiokJONtoBCM9i47wgcDNhB/GO8JX4Zo56Q2qoBioc Avot/nbU6OB/6C0mKj8cxKxSoVnWYbnFVEQWr2kRjlHSM6yAI+jb6qaSCnbUrsGVvHcs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=oxkbFxObRCJ64zbY0+LqDB4if1yTrgQPE3WYum1oQac=; b=lm1gqxmY/v0WNOLzQeEjpvNXtJ YMZ28AXC+1qd+yLW/DIM0ds4aBC8eTggUDymquxddW7S2Qv2sNWhm1cC8bqQ3KenPWE7+Tq1V+KzT zE/m4NfsOvCRp4vJ2ipQGQ2iTRCduSj9+IKe8NnXiY3NkCBb0De6vnC4pXtmYe354wIE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mctte-006U08-Df for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttX-0008hu-ED for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:27 +0200 Received: (nullmailer pid 614241 invoked by uid 10006); Tue, 19 Oct 2021 18:31:27 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:12 +0200 Message-Id: <20211019183127.614175-7-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: OpenSSL 3.0 deprecates SSL_CTX_set_tmp_ecdh() in favour of SSL_CTX_set1_groups(3). We already support the SSL_CTX_set1_groups using the --tls-groups. Adjust both mbed TLS and OpenSSL 3.0 to say that - [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mctte-006U08-Df Subject: [Openvpn-devel] [PATCH v3 06/21] [OSSL 3.0] Deprecate --ecdh-curve with OpenSSL 3.0 and adjust mbed TLS message X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox OpenSSL 3.0 deprecates SSL_CTX_set_tmp_ecdh() in favour of SSL_CTX_set1_groups(3). We already support the SSL_CTX_set1_groups using the --tls-groups. Adjust both mbed TLS and OpenSSL 3.0 to say that --ecdh-curve is ingored and --tls-groups should be used. Signed-off-by: Arne Schwabe Acked-by: Max Fillinger --- src/openvpn/ssl_mbedtls.c | 5 +++-- src/openvpn/ssl_openssl.c | 12 +++++++++--- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index cea88f41e..e7c45c099 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -440,8 +440,9 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name { if (NULL != curve_name) { - msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an ECDH " - "curve, using default curves."); + msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an " + "ECDH curve with --ecdh-curve, using default curves. Use " + "--tls-groups to specify curves."); } } diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index a44d4f85c..92d8d0eeb 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -709,10 +709,16 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, } void -tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name - ) +tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name) { -#ifndef OPENSSL_NO_EC +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + if (curve_name != NULL) + { + msg(M_WARN, "WARNING: OpenSSL 3.0+ builds do not support specifying an " + "ECDH curve with --ecdh-curve, using default curves. Use " + "--tls-groups to specify groups."); + } +#elif !defined(OPENSSL_NO_EC) int nid = NID_undef; EC_KEY *ecdh = NULL; const char *sname = NULL;