[Openvpn-devel] Add warning for the --show-groups command that some groups are missing

Message ID 20231009105714.34598-1-frank@lichtenheld.com
State Accepted
Headers show
Series [Openvpn-devel] Add warning for the --show-groups command that some groups are missing | expand

Commit Message

Frank Lichtenheld Oct. 9, 2023, 10:57 a.m. UTC
From: Arne Schwabe <arne@rfc2549.org>

OpenSSL has a weird way of only reporting EC curves that are implemented
in a certain way in the list of all EC curves. Note this fact and point
out that also the very important curves X448 and X25519 are affected.

Change-Id: I86641bf60d62a50e9b2719e809d2429d65c00097
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Note: I fixed some typos on-the-fly. See my comments in Gerrit
for details.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/366
This mail reflects revision 7 of this Change.
Acked-by according to Gerrit (reflected above):
Frank Lichtenheld <frank@lichtenheld.com>


Gert Doering Oct. 13, 2023, 8:18 p.m. UTC | #1
Seems to make sense to avoid confusion.  Minimally tested.

Your patch has been applied to the master and release/2.6 branch.

commit a840d5099a7d1a5ceb752c481fc345f6385719df (master)
commit f41eb752368f0aa7f2a2504221df01d498f5a238 (release/2.6)
Author: Arne Schwabe
Date:   Mon Oct 9 12:57:14 2023 +0200

     Add warning for the --show-groups command that some groups are missing

     Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
     Message-Id: <20231009105714.34598-1-frank@lichtenheld.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27193.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>

kind regards,

Gert Doering


diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 686ecf7..2b3f4f4 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2359,8 +2359,10 @@ 
-    printf("Consider using openssl 'ecparam -list_curves' as\n"
-           "alternative to running this command.\n");
+    printf("Consider using 'openssl ecparam -list_curves' as alternative to running\n"
+           "this command.\n"
+           "Note this output does only list curves/groups that OpenSSL considers as\n"
+           "builtin EC curves. It does not list additional curves nor X448 or X25519\n");
 #ifndef OPENSSL_NO_EC
     EC_builtin_curve *curves = NULL;
     size_t crv_len = 0;