[Openvpn-devel,v1] mbedtls: Warn if --tls-version-min is too low

Message ID 20240703174158.7137-1-gert@greenie.muc.de
State Accepted
Headers show
Series [Openvpn-devel,v1] mbedtls: Warn if --tls-version-min is too low | expand

Commit Message

Gert Doering July 3, 2024, 5:41 p.m. UTC
From: Max Fillinger <maximilian.fillinger@foxcrypto.com>

Recent versions of mbedtls only support TLS 1.2. When the minimum
version is set to TLS 1.0 or 1.1, log a warning and use 1.2 as the
actual minimum version.

Change-Id: Ibc641388d8016533c94dfef3618376f6dfa91f4e
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/684
This mail reflects revision 1 of this Change.

Acked-by according to Gerrit (reflected above):
Arne Schwabe <arne-openvpn@rfc2549.org>

Comments

Gert Doering July 4, 2024, 6:11 a.m. UTC | #1
Thanks for that.  This fixes my server test rig, which sets --tls-version-min
to accept connections from very old clients - it will now (still) fail old
clients that can not do TLS 1.2 (namely, OpenVPN 2.2(!) - 2.3 and up are
fine), but it will not fail "everything else" as the current code did.

Your patch has been applied to the master branch.

commit c535fa7afe45937bbc7dda435b2b05e57f7ecd53 (master)
Author: Max Fillinger
Date:   Wed Jul 3 19:41:58 2024 +0200

     mbedtls: Warn if --tls-version-min is too low

     Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
     Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
     Message-Id: <20240703174158.7137-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28865.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index dbe1425..64e67aa 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -8942,6 +8942,15 @@ 
             msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
             goto err;
         }
+
+#ifdef ENABLE_CRYPTO_MBEDTLS
+        if (ver < TLS_VER_1_2)
+        {
+            msg(M_WARN, "--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]);
+            ver = TLS_VER_1_2;
+        }
+#endif
+
         options->ssl_flags &=
             ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
         options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);