From patchwork Wed Jul 3 17:41:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3751 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:59c7:b0:57d:b2cb:6cf with SMTP id z7csp2928176may; Wed, 3 Jul 2024 10:42:36 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUApiC4MY8Z4b6Q+WRcoVxDwEZL+axpLFsvyam+9sml+xqtpI5T+pEO13Nm/YbHj5vBVXMn2immPWnu/OG7JIduKs2V7rE= X-Google-Smtp-Source: AGHT+IEUYsA0ODC2HK2ul2Uvd/azHeph2DOis3qb0fuxPJn7qHBp8JND1dPknYmrJrgH1+2quyRs X-Received: by 2002:a17:90a:5890:b0:2c4:e2cd:996d with SMTP id 98e67ed59e1d1-2c93d7807f3mr13141198a91.3.1720028555975; Wed, 03 Jul 2024 10:42:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1720028555; cv=none; d=google.com; s=arc-20160816; b=osqBV1WWFcxG23Wo1iUs31GqWZttoCV0KnUkz3ImqgXtpA/07NIZSySIvwMOsJrpC4 xvBWnr8WZH65HxOJ5VIfRZJtfCzcnB2NqptceGTMVNIQRj48P1NeTI7/W5g51UYOfgdN cMOea5qWAEGuCL5TwLKCysRP+tT7GpZFMZ6QjeN3Vr416KmBlAtZAOgX7v1nWzp2JFDa jnZRhmU2J/UX62uLqCPw4zMN1TMKu6QR+IhNDuWDsm+9xLt48i+Lik0Pu0GzhA/lqWoN IfzrpgOwaGByFlv2G56HNR2hlqUyl1gBjB0rab2nWPcbysyvMnw/GVeZ9c/ZmO9+ln9X WOBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=r4LfIAMwPdg0dl72qx0CsWMky65PyGrktzTm5fRMapA=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=GupIuVuWZs5RKZhPJ8c6jK6l32Q8N81z8qpNT1n093iESb4AoCFH2AXgu67eX6DAF4 yQfIFcaKF+SteL/bHX7j6fE8JwxIdSG3c8LzE1NqBk8dKRs0PKX0XF/COPFQsvrrelkW o3nYPme6wKuTGs4etH1H2YO70LUF0yfylpajwkNV+304J/A6Ik6sIp2yWvhCBJdu5nns Q38tlVhQTF7W5/p3qL1b2FCPs/d7V7+bDOknTxLazUK36qiDlA/gvAIn1CqobkJaasEF FUo+x0TXTLSWCoAXaYNTjgpT10V1asIFuyhEw/RfB37W7lcQ78QKKtXipNSphNPaltF6 U1lg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=PKvQIAjy; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="cr0UIKb/"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 98e67ed59e1d1-2c96d015851si2762009a91.74.2024.07.03.10.42.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 Jul 2024 10:42:35 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=PKvQIAjy; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="cr0UIKb/"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1sP3zj-0002fl-Ec; Wed, 03 Jul 2024 17:42:15 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1sP3zh-0002fW-KI for openvpn-devel@lists.sourceforge.net; Wed, 03 Jul 2024 17:42:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=S9OrdaLogxxXT0zSdM4JDasx8Ik+q0Cz5Xie0uQGjKE=; b=PKvQIAjyBqKLBda+ZnQFAEE5cU b/r48gN6bwC/O93GxVO8Tcj6wU9amMvBJ9oRoKYhYD+CboCEc93sozaaEGf5+Xn2IbvJVtxpk9uTz RM5vj0h8b6HDgy9MGeO0voIV8uMVXHfYa+5KS64tWYqZh+0nmuZDTQUXHGPXlyjWMbdw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=S9OrdaLogxxXT0zSdM4JDasx8Ik+q0Cz5Xie0uQGjKE=; b=cr0UIKb/OYBJw+9Pk2BQ7wm9TH /SwEfkqOTpsYD4/PaP4F4COTFcP8J/TIhDZkrW2lUzc2jQRoJ5Wn2usfSJRe1H/lzc959QDFlgWp8 M3jGWYFyw+dy7S7ySlL1DCeQiysg8U8ZAHwZ+v50WO1juIsR71V9ZAKQ96jFK4jm8oCM=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1sP3zg-0003uT-JV for openvpn-devel@lists.sourceforge.net; Wed, 03 Jul 2024 17:42:13 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 463HfxnI007150 for ; Wed, 3 Jul 2024 19:41:59 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 463HfxIT007149 for openvpn-devel@lists.sourceforge.net; Wed, 3 Jul 2024 19:41:59 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 3 Jul 2024 19:41:58 +0200 Message-ID: <20240703174158.7137-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.44.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -5.0 (-----) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Max Fillinger Recent versions of mbedtls only support TLS 1.2. When the minimum version is set to TLS 1.0 or 1.1, log a warning and use 1.2 as the actual minimum version. Content analysis details: (-5.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in bl.score.senderscore.com] -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high trust [193.149.48.174 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1sP3zg-0003uT-JV Subject: [Openvpn-devel] [PATCH v1] mbedtls: Warn if --tls-version-min is too low X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1803580662924044218?= X-GMAIL-MSGID: =?utf-8?q?1803580662924044218?= From: Max Fillinger Recent versions of mbedtls only support TLS 1.2. When the minimum version is set to TLS 1.0 or 1.1, log a warning and use 1.2 as the actual minimum version. Change-Id: Ibc641388d8016533c94dfef3618376f6dfa91f4e Signed-off-by: Max Fillinger Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/684 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/options.c b/src/openvpn/options.c index dbe1425..64e67aa 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8942,6 +8942,15 @@ msg(msglevel, "unknown tls-version-min parameter: %s", p[1]); goto err; } + +#ifdef ENABLE_CRYPTO_MBEDTLS + if (ver < TLS_VER_1_2) + { + msg(M_WARN, "--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]); + ver = TLS_VER_1_2; + } +#endif + options->ssl_flags &= ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT); options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);