[Openvpn-devel] Use right function to set TLS1.3 restrictions in show-tls

Message ID 20181011220639.7316-1-arne@rfc2549.org
State Accepted, archived
Headers show
Series
  • [Openvpn-devel] Use right function to set TLS1.3 restrictions in show-tls
Related show

Commit Message

Arne Schwabe Oct. 11, 2018, 10:06 p.m.
The last version of the patch used the TLS1.2 version
tls_ctx_restrict_ciphers to set the restrictions for both
TLS 1.3 and TLS1.2 instead of using tls_ctx_restrict_ciphers_tls13
for TLS1.3.

Also fix minor style problem while I am touching the function
---
 src/openvpn/ssl_openssl.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

David Sommerseth Oct. 12, 2018, 10:38 a.m. | #1
On 12/10/18 00:06, Arne Schwabe wrote:
> The last version of the patch used the TLS1.2 version
> tls_ctx_restrict_ciphers to set the restrictions for both
> TLS 1.3 and TLS1.2 instead of using tls_ctx_restrict_ciphers_tls13
> for TLS1.3.
> 
> Also fix minor style problem while I am touching the function
> ---
>  src/openvpn/ssl_openssl.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> index 6717ded0..da573cfa 100644
> --- a/src/openvpn/ssl_openssl.c
> +++ b/src/openvpn/ssl_openssl.c
> @@ -2002,15 +2002,16 @@ show_available_tls_ciphers_list(const char *cipher_list,
>      if (tls13)
>      {
>          SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION);
> +        tls_ctx_restrict_ciphers_tls13(&tls_ctx, cipher_list);

Isn't this function only available in OpenSSL 1.1.1 and newer?  Or am I
missing a fine detail here?
Arne Schwabe Oct. 12, 2018, 11:42 a.m. | #2
Am 12.10.18 um 12:38 schrieb David Sommerseth:
> On 12/10/18 00:06, Arne Schwabe wrote:
>> The last version of the patch used the TLS1.2 version
>> tls_ctx_restrict_ciphers to set the restrictions for both
>> TLS 1.3 and TLS1.2 instead of using tls_ctx_restrict_ciphers_tls13
>> for TLS1.3.
>>
>> Also fix minor style problem while I am touching the function
>> ---
>>  src/openvpn/ssl_openssl.c | 6 ++++--
>>  1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
>> index 6717ded0..da573cfa 100644
>> --- a/src/openvpn/ssl_openssl.c
>> +++ b/src/openvpn/ssl_openssl.c
>> @@ -2002,15 +2002,16 @@ show_available_tls_ciphers_list(const char *cipher_list,
>>      if (tls13)
>>      {
>>          SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION);
>> +        tls_ctx_restrict_ciphers_tls13(&tls_ctx, cipher_list);
> 
> Isn't this function only available in OpenSSL 1.1.1 and newer?  Or am I
> missing a fine detail here?
>

It is and it is a block ifdef'ed by OpenSSL version.

Arne
Gert Doering Oct. 12, 2018, 3:30 p.m. | #3
Acked-by: Gert Doering <gert@greenie.muc.de>

It now displays the expected result set (and the code change makes sense):

   $ src/openvpn/openvpn --verb 4 --tls-ciphersuites TLS_AES_256_GCM_SHA384 --show-tls --tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
   Available TLS Ciphers, listed in order of preference:

   For TLS 1.3 and newer (--tls-ciphersuites):

   TLS_AES_256_GCM_SHA384

   For TLS 1.2 and older (--tls-cipher):

   TLS-DHE-RSA-WITH-AES-256-CBC-SHA256



Tested with OpenSSL 1.0.2, 1.1.1 and mbedTLS.

Your patch has been applied to the master and release/2.4 branch.

commit 680117529ededd94b1d56867f8d834aa5daa2b95 (master)
commit 33253cf1d0c1175e7391a4eec3b64f1ec0b303dd (release/2.4)
Author: Arne Schwabe
Date:   Fri Oct 12 00:06:39 2018 +0200

     Use right function to set TLS1.3 restrictions in show-tls

     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20181011220639.7316-1-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17755.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 6717ded0..da573cfa 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2002,15 +2002,16 @@  show_available_tls_ciphers_list(const char *cipher_list,
     if (tls13)
     {
         SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION);
+        tls_ctx_restrict_ciphers_tls13(&tls_ctx, cipher_list);
     }
     else
 #endif
     {
         SSL_CTX_set_max_proto_version(tls_ctx.ctx, TLS1_2_VERSION);
+        tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
     }
 
     tls_ctx_set_cert_profile(&tls_ctx, tls_cert_profile);
-    tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
 
     SSL *ssl = SSL_new(tls_ctx.ctx);
     if (!ssl)
@@ -2039,7 +2040,8 @@  show_available_tls_ciphers_list(const char *cipher_list,
         else if (NULL == pair)
         {
             /* No translation found, print warning */
-            printf("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", cipher_name);
+            printf("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n",
+                   cipher_name);
         }
         else
         {