Message ID | 20240703174158.7137-1-gert@greenie.muc.de |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel,v1] mbedtls: Warn if --tls-version-min is too low | expand |
Thanks for that. This fixes my server test rig, which sets --tls-version-min to accept connections from very old clients - it will now (still) fail old clients that can not do TLS 1.2 (namely, OpenVPN 2.2(!) - 2.3 and up are fine), but it will not fail "everything else" as the current code did. Your patch has been applied to the master branch. commit c535fa7afe45937bbc7dda435b2b05e57f7ecd53 (master) Author: Max Fillinger Date: Wed Jul 3 19:41:58 2024 +0200 mbedtls: Warn if --tls-version-min is too low Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Message-Id: <20240703174158.7137-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28865.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/options.c b/src/openvpn/options.c index dbe1425..64e67aa 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8942,6 +8942,15 @@ msg(msglevel, "unknown tls-version-min parameter: %s", p[1]); goto err; } + +#ifdef ENABLE_CRYPTO_MBEDTLS + if (ver < TLS_VER_1_2) + { + msg(M_WARN, "--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]); + ver = TLS_VER_1_2; + } +#endif + options->ssl_flags &= ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT); options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);