Message ID | 20210623183728.2565286-1-arne@rfc2549.org |
---|---|
State | Accepted |
Delegated to: | Gert Doering |
Headers | show |
Series | [Openvpn-devel] Fix tls-cert-profile broken on OpenSSL 1.1+ | expand |
Acked-by: Gert Doering <gert@greenie.muc.de> The root cause is very obvious ("git grep HAVE_SSL_CTX_SET_SECURITY_LEVEL"), and the fix seems logical. OpenSSL documentation confirms that this was "added in OpenSSL 1.1.0", so checking for 0x10100000L sounds like the right way to do (one could argue about >=, but 1.1.0a would already match) I have tested against 1.0.2 (builds, refuses the option) and 1.1.1k (builds and now accepts the option again, and being really strict with "preferred" or "suiteb", refuses my SHA1 test certs) Your patch has been applied to the master branch. commit b66701e5e2ef194f33e2a8865a4abf4567466d83 Author: Arne Schwabe Date: Wed Jun 23 20:37:28 2021 +0200 Fix tls-cert-profile broken on OpenSSL 1.1+ Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20210623183728.2565286-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22584.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 3120c51a8..45a14218e 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -523,7 +523,7 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers) void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { -#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL +#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL does not have certificate profiles, but a complex set of * callbacks that we could try to implement to achieve something similar. * For now, use OpenSSL's security levels to achieve similar (but not equal) @@ -545,13 +545,13 @@ tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { msg(M_FATAL, "ERROR: Invalid cert profile: %s", profile); } -#else /* ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL */ +#else /* if OPENSSL_VERSION_NUMBER > 0x10100000L */ if (profile) { - msg(M_WARN, "WARNING: OpenSSL 1.0.2 does not support --tls-cert-profile" - ", ignoring user-set profile: '%s'", profile); + msg(M_WARN, "WARNING: OpenSSL 1.0.2 and LibreSSL do not support " + "--tls-cert-profile, ignoring user-set profile: '%s'", profile); } -#endif /* ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL */ +#endif /* if OPENSSL_VERSION_NUMBER > 0x10100000L */ } void
Commit bc36d9d569 removed the autoconf detection of various OpenSSL functions. This overlooked HAVE_SSL_CTX_SET_SECURITY_LEVEL check in tls_ctx_set_cert_profile. Replace this also with a version number based check. Tested with LibreSSL on OpenBSD 6.8, OpenSSL 1.1 and wolfSSL. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/ssl_openssl.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)