[Openvpn-devel,v4] Add insecure tls-cert-profile options

Message ID 20211029112407.2004234-1-arne@rfc2549.org
State Accepted
Headers show
Series
  • [Openvpn-devel,v4] Add insecure tls-cert-profile options
Related show

Commit Message

Arne Schwabe Oct. 29, 2021, 11:24 a.m.
The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary
to reallow them in certain deployments. Currently this works by using the
hack of using tls-cipher "DEFAULT:@SECLEVEL=0". Add insecure as option to
tls-cert-profile to allow setting a seclevel of 0.

Patch v4: fix default accidentially changed to insecure

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 doc/man-sections/tls-options.rst | 6 ++++++
 src/openvpn/ssl_mbedtls.c        | 3 ++-
 src/openvpn/ssl_openssl.c        | 4 ++++
 3 files changed, 12 insertions(+), 1 deletion(-)

Comments

Max Fillinger Oct. 29, 2021, 1:25 p.m. | #1
On 29/10/2021 13:24, Arne Schwabe wrote:
> The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary
> to reallow them in certain deployments. Currently this works by using the
> hack of using tls-cipher "DEFAULT:@SECLEVEL=0". Add insecure as option to
> tls-cert-profile to allow setting a seclevel of 0.
> 
> Patch v4: fix default accidentially changed to insecure
> 
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>

Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>

With OpenSSL 3, OpenVPN accepts certs signed with SHA1 if and only if
"--tls-cert-profile insecure" is used.
Gert Doering Nov. 5, 2021, 4:03 p.m. | #2
(Client-side) tested with 1.1.1 and 3.0.0.

Without options, my sha1 certificates still fail for the 3.0.0 build,
and *with* "tls-cert-profile insecure" it works.

Your patch has been applied to the master branch.

commit 23efeb7a0bd9e0a6d997ae6e77e0e04170da3e67
Author: Arne Schwabe
Date:   Fri Oct 29 13:24:07 2021 +0200

     Add insecure tls-cert-profile options

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
     Message-Id: <20211029112407.2004234-1-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23076.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
Gert Doering May 4, 2022, 8:45 a.m. | #3
Hi,

On Fri, Nov 05, 2021 at 05:03:21PM +0100, Gert Doering wrote:
> (Client-side) tested with 1.1.1 and 3.0.0.
> 
> Without options, my sha1 certificates still fail for the 3.0.0 build,
> and *with* "tls-cert-profile insecure" it works.
> 
> Your patch has been applied to the master branch.
> 
> commit 23efeb7a0bd9e0a6d997ae6e77e0e04170da3e67
> Author: Arne Schwabe
> Date:   Fri Oct 29 13:24:07 2021 +0200
> 
>      Add insecure tls-cert-profile options

Based on the discussion on IRC (just now) I have applied this to 2.5
as well - Ubuntu 22.04 builds with OpenSSL 3.0.x, and without that patch,
existing user setups with sha1 certs will break and no option to work
around that.

commit 7b1b100557608db8a311d06f7578ceb7c4d33aa6 (HEAD -> release/2.5)
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Fri Oct 29 13:24:07 2021 +0200

    Add insecure tls-cert-profile options
    (cherry picked from commit 23efeb7a0bd9e0a6d997ae6e77e0e04170da3e67)


gert

Patch

diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst
index eaf38395d..ac5756034 100644
--- a/doc/man-sections/tls-options.rst
+++ b/doc/man-sections/tls-options.rst
@@ -373,6 +373,9 @@  certificates and keys: https://github.com/OpenVPN/easy-rsa
 
   The following profiles are supported:
 
+  :code:`insecure`
+      Identical for mbed TLS to `legacy`
+
   :code:`legacy` (default)
       SHA1 and newer, RSA 2048-bit+, any elliptic curve.
 
@@ -385,6 +388,9 @@  certificates and keys: https://github.com/OpenVPN/easy-rsa
   This option is only fully supported for mbed TLS builds. OpenSSL builds
   use the following approximation:
 
+  :code:`insecure`
+      sets "security level 0"
+
   :code:`legacy` (default)
       sets "security level 1"
 
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index e7c45c099..acf4993fd 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -336,7 +336,8 @@  tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
 void
 tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
 {
-    if (!profile || 0 == strcmp(profile, "legacy"))
+    if (!profile || 0 == strcmp(profile, "legacy")
+        || 0 == strcmp(profile, "insecure"))
     {
         ctx->cert_profile = openvpn_x509_crt_profile_legacy;
     }
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 25ff50375..61cfd7ccf 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -536,6 +536,10 @@  tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
     {
         SSL_CTX_set_security_level(ctx->ctx, 1);
     }
+    else if (0 == strcmp(profile, "insecure"))
+    {
+        SSL_CTX_set_security_level(ctx->ctx, 0);
+    }
     else if (0 == strcmp(profile, "preferred"))
     {
         SSL_CTX_set_security_level(ctx->ctx, 2);