[Openvpn-devel] Fix tls-cert-profile broken on OpenSSL 1.1+

Message ID 20210623183728.2565286-1-arne@rfc2549.org
State Accepted
Delegated to: Gert Doering
Headers show
Series [Openvpn-devel] Fix tls-cert-profile broken on OpenSSL 1.1+ | expand

Commit Message

Arne Schwabe June 23, 2021, 8:37 a.m. UTC
Commit bc36d9d569 removed the autoconf detection of various OpenSSL
functions. This overlooked HAVE_SSL_CTX_SET_SECURITY_LEVEL check in
tls_ctx_set_cert_profile. Replace this also with a version number
based check.

Tested with LibreSSL on OpenBSD 6.8, OpenSSL 1.1 and wolfSSL.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/ssl_openssl.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

Comments

Gert Doering July 21, 2021, 3:24 a.m. UTC | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

The root cause is very obvious ("git grep HAVE_SSL_CTX_SET_SECURITY_LEVEL"),
and the fix seems logical.  OpenSSL documentation confirms that this
was "added in OpenSSL 1.1.0", so checking for 0x10100000L sounds like
the right way to do (one could argue about >=, but 1.1.0a would already
match)

I have tested against 1.0.2 (builds, refuses the option) and 1.1.1k
(builds and now accepts the option again, and being really strict
with "preferred" or "suiteb", refuses my SHA1 test certs)

Your patch has been applied to the master branch.

commit b66701e5e2ef194f33e2a8865a4abf4567466d83
Author: Arne Schwabe
Date:   Wed Jun 23 20:37:28 2021 +0200

     Fix tls-cert-profile broken on OpenSSL 1.1+

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20210623183728.2565286-1-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22584.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 3120c51a8..45a14218e 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -523,7 +523,7 @@  tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
 void
 tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
 {
-#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
     /* OpenSSL does not have certificate profiles, but a complex set of
      * callbacks that we could try to implement to achieve something similar.
      * For now, use OpenSSL's security levels to achieve similar (but not equal)
@@ -545,13 +545,13 @@  tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
     {
         msg(M_FATAL, "ERROR: Invalid cert profile: %s", profile);
     }
-#else  /* ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL */
+#else  /* if OPENSSL_VERSION_NUMBER > 0x10100000L */
     if (profile)
     {
-        msg(M_WARN, "WARNING: OpenSSL 1.0.2 does not support --tls-cert-profile"
-            ", ignoring user-set profile: '%s'", profile);
+        msg(M_WARN, "WARNING: OpenSSL 1.0.2 and LibreSSL do not support "
+            "--tls-cert-profile, ignoring user-set profile: '%s'", profile);
     }
-#endif /* ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL */
+#endif /* if OPENSSL_VERSION_NUMBER > 0x10100000L */
 }
 
 void