[Openvpn-devel] correct tls-groups for OpenSSL3

Message ID	20220327131639.29686-1-info@baentsch.ch
State	Superseded
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Received-SPF: pass (www14.servertown.ch: connection is authenticated) From: Michael Baentsch <info@baentsch.ch> To: openvpn-devel@lists.sourceforge.net Date: Sun, 27 Mar 2022 15:16:39 +0200 Message-Id: <20220327131639.29686-1-info@baentsch.ch> preview: From: Michael <57787676+baentsch@users.noreply.github.com> --- src/openvpn/ssl_openssl.c \| 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index b8595174..af97dabc 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -572,13 +572,15 @@ void tls_ctx_se [...] Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record Subject: [Openvpn-devel] [PATCH] correct tls-groups for OpenSSL3 Precedence: list Cc: Michael <57787676+baentsch@users.noreply.github.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	[Openvpn-devel] correct tls-groups for OpenSSL3 \| expand [Openvpn-devel] correct tls-groups for OpenSSL3

Message ID

20220327131639.29686-1-info@baentsch.ch

State

Superseded

Headers

Received-SPF: pass (www14.servertown.ch: connection is authenticated)
From: Michael Baentsch <info@baentsch.ch>
To: openvpn-devel@lists.sourceforge.net
Date: Sun, 27 Mar 2022 15:16:39 +0200
Message-Id: <20220327131639.29686-1-info@baentsch.ch>
Subject: [Openvpn-devel] [PATCH] correct tls-groups for OpenSSL3
Precedence: list
Cc: Michael <57787676+baentsch@users.noreply.github.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

[Openvpn-devel] correct tls-groups for OpenSSL3 | expand

Commit Message

Michael Baentsch March 27, 2022, 2:16 a.m. UTC

From: Michael <57787676+baentsch@users.noreply.github.com>

---
 src/openvpn/ssl_openssl.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index b8595174..af97dabc 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -572,13 +572,15 @@  void
 tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
 {
     ASSERT(ctx);
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
     struct gc_arena gc = gc_new();
     /* This method could be as easy as
      *  SSL_CTX_set1_groups_list(ctx->ctx, groups)
-     * but OpenSSL does not like the name secp256r1 for prime256v1
+     * but OpenSSL (< 3.0) does not like the name secp256r1 for prime256v1
      * This is one of the important curves.
      * To support the same name for OpenSSL and mbedTLS, we do
      * this dance.
+     * Also note that the code is wrong in the presence of OpenSSL3 providers.
      */
 
     int groups_count = get_num_elements(groups, ':');
@@ -617,6 +619,13 @@  tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
                    groups);
     }
     gc_free(&gc);
+#else
+    if (!SSL_CTX_set1_groups_list(ctx->ctx, groups))
+    {
+        crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",
+                   groups);
+    }
+#endif
 }
 
 void

[Openvpn-devel] correct tls-groups for OpenSSL3

Commit Message

Patch