From patchwork Fri Oct 29 00:24:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2049 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id +Nd1AAfme2FNTAAAIUCqbw (envelope-from ) for ; Fri, 29 Oct 2021 08:16:07 -0400 Received: from proxy5.mail.ord1d.rsapps.net ([172.30.191.6]) by director13.mail.ord1d.rsapps.net with LMTP id YAwlAAfme2EOXAAA91zNiA (envelope-from ) for ; Fri, 29 Oct 2021 08:16:07 -0400 Received: from smtp12.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1d.rsapps.net with LMTPS id eGkAAAfme2FuTAAA8Zzt7w (envelope-from ) for ; Fri, 29 Oct 2021 08:16:06 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp12.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: fd635b2a-38b1-11ec-8dce-52540070b731-1-1 Received: from [216.105.38.7] ([216.105.38.7:53202] helo=lists.sourceforge.net) by smtp12.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 72/B8-02441-506EB716; Fri, 29 Oct 2021 08:16:05 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mgQmj-0002U9-Oi; Fri, 29 Oct 2021 12:15:02 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mgQmh-0002Tr-Lh for openvpn-devel@lists.sourceforge.net; Fri, 29 Oct 2021 12:15:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=eHUQgV3j1ZINL+yUSfGFHovk7efXk2j6otxMDpq6CWg=; b=RK/+k0Zy47eqvO1JJP6Fpzn0d7 Q3bI1ztN2MrAFNhSzas3+eLEMqPSkwxRmDb/aI0yRaFlx8oOIX0UzYe/dXg+VY8qu+Xf9IThL4iJ+ siDBCOGCT0OVDaU114brHfrtqMyNnCzJ+aYkPV4Bg2OvDpMxU0UzmYAwt/wsvf2kxU3I=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=eHUQgV3j1ZINL+yUSfGFHovk7efXk2j6otxMDpq6CWg=; b=OGFFWIwGTUwHZ7EIYspNOYHxlE bsZN8m1mzOg3/ka0YrzRxCqZuN+J23+Izwj+OlZMyK87CmsjvA+PLppncR0/gsVmFPRbg+zPzcJs/ 53hT5ga52V0DyylsicX60kCBmJyUvXfEl+HamWW0wm+qA7mM2lyUxdVFSGsu7hnXrOKk=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mgQmc-005Z2g-Ci for openvpn-devel@lists.sourceforge.net; Fri, 29 Oct 2021 12:15:00 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mgPzT-000Ao6-Hb for openvpn-devel@lists.sourceforge.net; Fri, 29 Oct 2021 13:24:07 +0200 Received: (nullmailer pid 2004280 invoked by uid 10006); Fri, 29 Oct 2021 11:24:07 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 29 Oct 2021 13:24:07 +0200 Message-Id: <20211029112407.2004234-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary to reallow them in certain deployments. Currently this works by using the hack of using tls-cipher "DEFAULT:@SECLEVEL=0". [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1mgQmc-005Z2g-Ci Subject: [Openvpn-devel] [PATCH v4] Add insecure tls-cert-profile options X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary to reallow them in certain deployments. Currently this works by using the hack of using tls-cipher "DEFAULT:@SECLEVEL=0". Add insecure as option to tls-cert-profile to allow setting a seclevel of 0. Patch v4: fix default accidentially changed to insecure Signed-off-by: Arne Schwabe Acked-by: Max Fillinger --- doc/man-sections/tls-options.rst | 6 ++++++ src/openvpn/ssl_mbedtls.c | 3 ++- src/openvpn/ssl_openssl.c | 4 ++++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index eaf38395d..ac5756034 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -373,6 +373,9 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa The following profiles are supported: + :code:`insecure` + Identical for mbed TLS to `legacy` + :code:`legacy` (default) SHA1 and newer, RSA 2048-bit+, any elliptic curve. @@ -385,6 +388,9 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa This option is only fully supported for mbed TLS builds. OpenSSL builds use the following approximation: + :code:`insecure` + sets "security level 0" + :code:`legacy` (default) sets "security level 1" diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index e7c45c099..acf4993fd 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -336,7 +336,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { - if (!profile || 0 == strcmp(profile, "legacy")) + if (!profile || 0 == strcmp(profile, "legacy") + || 0 == strcmp(profile, "insecure")) { ctx->cert_profile = openvpn_x509_crt_profile_legacy; } diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 25ff50375..61cfd7ccf 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -536,6 +536,10 @@ tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { SSL_CTX_set_security_level(ctx->ctx, 1); } + else if (0 == strcmp(profile, "insecure")) + { + SSL_CTX_set_security_level(ctx->ctx, 0); + } else if (0 == strcmp(profile, "preferred")) { SSL_CTX_set_security_level(ctx->ctx, 2);