From patchwork Wed Oct 31 05:52:21 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 585 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id oOdMFw7e2VttYAAAIUCqbw for ; Wed, 31 Oct 2018 12:53:34 -0400 Received: from proxy12.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id YAUuFw7e2VucBAAAovjBpQ ; Wed, 31 Oct 2018 12:53:34 -0400 Received: from smtp14.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.ord1d.rsapps.net with LMTP id eJPsFg7e2VugAwAA7PHxkg ; Wed, 31 Oct 2018 12:53:34 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp14.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 80067ab4-dd2d-11e8-ad11-bc305bf032e0-1-1 Received: from [216.105.38.7] ([216.105.38.7:54062] helo=lists.sourceforge.net) by smtp14.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D3/C4-11097-C0ED9DB5; Wed, 31 Oct 2018 12:53:33 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gHtjW-0006US-Nl; Wed, 31 Oct 2018 16:52:42 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gHtjV-0006UD-5K for openvpn-devel@lists.sourceforge.NET; Wed, 31 Oct 2018 16:52:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=xdmwfdFKCcjyA9N2csdUOOww7Pa9pIAo4oaXPZXE9fI=; b=ep5c+QUdPlUxbZ1aOw3NMG7e9n sEGjlIkvkmGpb4J0SIbGirqKTpPuvfP35fZw2L4Ck/0Bu83c8qsrZt06BdyZ64zNJ2eSlXDi4Tkw4 3YhkMPW9aFH4LxoTWy3EJDHF6VBQ3MaNZahMx9FlyE0KZAHzQQ74+Kstyy08RdCDmsOU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=xdmwfdFKCcjyA9N2csdUOOww7Pa9pIAo4oaXPZXE9fI=; b=GjJFlcSG12xiYNxv0YVskl+Hbi fTtHXeg2UiyFCgQ6oNQptlfdIjCCFqB1OYfCr6wM8cN4XPWJipGHj+bi3qPoQIOoIOH20o8TF2L7W H+yaIbgeIEK4ggm29ryeZ8xhNXoqPyHoe2qEN7bIPmxhRSfYERE0V3EG387DCXqlCVXc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gHtjT-003tJY-JT for openvpn-devel@lists.sourceforge.NET; Wed, 31 Oct 2018 16:52:41 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1gHtjD-0005Vx-3X for openvpn-devel@lists.sourceforge.net; Wed, 31 Oct 2018 17:52:23 +0100 Received: (nullmailer pid 6042 invoked by uid 10006); Wed, 31 Oct 2018 16:52:22 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 31 Oct 2018 17:52:21 +0100 Message-Id: <20181031165222.5997-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181007215837.489-1-arne@rfc2549.org> References: <20181007215837.489-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1gHtjT-003tJY-JT Subject: [Openvpn-devel] [PATCH v2 1/2] Make tls_version_max return the actual maximum version X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Before OpenSSL 1.1.1 there could be no mismatch between compiled and actual OpenSSL version. With OpenSSL 1.1.1 we need runtime detection to detect the actual best TLS version supported. Allowing this runtime detection also allows removing some of the TLS 1.3/OpenSSL 1.1.1 #ifdefs Without this patch tls-min-version 1.3 or-highest will actually downgrade to TLS 1.3 in the "compiled with 1.1.0 and linked against 1.1.1" scenario. Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 11 +++++------ src/openvpn/ssl_openssl.c | 33 ++++++++++++++++++++++++++++----- 2 files changed, 33 insertions(+), 11 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index c0bc7a47..2a92f2e6 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -4182,12 +4182,11 @@ show_available_tls_ciphers(const char *cipher_list, { printf("Available TLS Ciphers, listed in order of preference:\n"); -#if (ENABLE_CRYPTO_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x1010100fL) - printf("\nFor TLS 1.3 and newer (--tls-ciphersuites):\n\n"); - show_available_tls_ciphers_list(cipher_list_tls13, tls_cert_profile, true); -#else - (void) cipher_list_tls13; /* Avoid unused warning */ -#endif + if (tls_version_max() >= TLS_VER_1_3) + { + printf("\nFor TLS 1.3 and newer (--tls-ciphersuites):\n\n"); + show_available_tls_ciphers_list(cipher_list_tls13, tls_cert_profile, true); + } printf("\nFor TLS 1.2 and older (--tls-cipher):\n\n"); show_available_tls_ciphers_list(cipher_list, tls_cert_profile, false); diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index b5da7e13..c2c8fdc0 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -210,7 +210,23 @@ int tls_version_max(void) { #if defined(TLS1_3_VERSION) + /* If this is defined we can safely assume TLS 1.3 support */ return TLS_VER_1_3; +#elif OPENSSL_VERSION_NUMBER >= 0x10100000L + /* + * The library we are *linked* against is OpenSSL 1.1.1 + * and therefore supports TLS 1.3. This needs to be checked at runtime + * since we can be compiled against 1.1.0 and then the library can be + * upgraded to 1.1.1 + */ + if (OpenSSL_version_num() >= 0x1010100fL) + { + return TLS_VER_1_3; + } + else + { + return TLS_VER_1_2; + } #elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2) return TLS_VER_1_2; #elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1) @@ -236,12 +252,20 @@ openssl_tls_version(int ver) { return TLS1_2_VERSION; } -#if defined(TLS1_3_VERSION) else if (ver == TLS_VER_1_3) { + /* + * Supporting the library upgraded to TLS1.3 without recompile + * is enough to support here with a simple constant that the same + * as in the TLS 1.3, so spec it is very unlikely that OpenSSL + * will change this constant + */ +#ifndef TLS1_3_VERSION + return 0x0304; +#else return TLS1_3_VERSION; - } #endif + } return 0; } @@ -1948,14 +1972,13 @@ show_available_tls_ciphers_list(const char *cipher_list, crypto_msg(M_FATAL, "Cannot create SSL_CTX object"); } -#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) if (tls13) { - SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION); + SSL_CTX_set_min_proto_version(tls_ctx.ctx, + openssl_tls_version(TLS_VER_1_3)); tls_ctx_restrict_ciphers_tls13(&tls_ctx, cipher_list); } else -#endif { SSL_CTX_set_max_proto_version(tls_ctx.ctx, TLS1_2_VERSION); tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);