From patchwork Tue Apr 21 05:53:50 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4904 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:66c6:b0:84a:48f:a1fd with SMTP id x6csp2105770mal; Mon, 20 Apr 2026 22:54:22 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ/NzGqyCk1uz94Z0G9nZiBfL5z/vc9G/2v4lfA72JqDsZewTO5/NxpqMyM8m16gzOHK3u9711HGCP4=@openvpn.net X-Received: by 2002:a05:6820:810a:b0:682:ecb8:c3c with SMTP id 006d021491bc7-69462f09ee2mr9034807eaf.49.1776750862640; Mon, 20 Apr 2026 22:54:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1776750862; cv=none; d=google.com; s=arc-20240605; b=g9t0gddhueuTYtMFJ6PyMAhnwxUOtLxh/lIcfmuLdWugGvNgqj93sQMeb2igTKglFi olG5oM/4rBmkkpQl3W1o01qQ/nyQvjCzol52W8SMB/SotX3bsUUksW/3WnNKywSR3CpC zyt0bOxt5l4LCIrDbYtrLicf3NJngJk7uYQAV7zMJ1sbavTZ1I1qRaQy7EtoH7nEWlj8 +D/YOdS/UpGL1tUEOXe8ECJn92w2aWwGG4BTafHK3JRH/E/LXDcHKtmcJ2BWonaCQOwf XoKzR9k1UcNCvxV+SmMc9Geb2JHWIk6TcyYc54Dhk9sVCch4Gwd5mAR3xGcoikk2Wvqz ptPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=CwDuF+tUoK3mdQBYCo/eF6B2019QI2MbknbUWHXCZmo=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=SvQd1YtMXpwLS0ealC1g2c6nORMQJhSIz5pI5DrvSrDe3DjESKk9NbwRboXQUoSL3X 9sxQ6KfT1C73FYJ05JWnHNfsNySWZzV3T4lCCFmuBTtJxMc4wmhYMvh8vuVOxfsjBJyC yEuHFYzyFKm64MXpXIokTNERl56j8LiELQqcjYi825mUzL9BELon2lENK/nFRafAp/+3 hUNAw5pK86YnIEgs2ZKf2KgiBNMaUuM+WgcMIzS9I1K6q0w5Mu4dSRgc2CMDK7lNOsSh FONjIEHPyRPyVQh+YBMK1J3a3jM7KlyYQnYi5n4cBoy9ZfX8oDNzJ0rtqbmzL7bmhJAT +iIg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=FTjff1MK; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=BonpM2Pt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ivPh+oTw; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 006d021491bc7-69464fa70aesi7197109eaf.53.2026.04.20.22.54.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 20 Apr 2026 22:54:22 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=FTjff1MK; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=BonpM2Pt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ivPh+oTw; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=CwDuF+tUoK3mdQBYCo/eF6B2019QI2MbknbUWHXCZmo=; b=FTjff1MK69Yk/oQNqds/TubCVh OLSadJMajDE0dPMsgtsGK74lhLo5UaMyIQfWVfMUPidzaWz5m9PqPK2ae46AavUJtABcFaTnNOarp onoukthk7q5QiDhTAL+BjANd4NagSgd1dLtFQfHKV5ndxRnoYiYt0v/jp049C2Mr9Oio=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wF43p-0008Dx-8i; Tue, 21 Apr 2026 05:54:13 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wF43n-0008Dp-GJ for openvpn-devel@lists.sourceforge.net; Tue, 21 Apr 2026 05:54:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=el/27+bL08SkMv3weXCkvRBoDOotZhvGL9oa9AMkm9U=; b=BonpM2PtZUnW6EAe7tSRcwtNqE TKFLdn4AHSThu8+egzrLfM1D0W75CYOnhBT15Hk74/tfsVDmadZsOhfuu//cFrp3xdJGDk263pXmV 7oEtH6KydUAQXw5HRyPxMbnm/xsKA4qGAje4phfGMK1GNtXX3p9LWEmojOpLW73z9RdI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=el/27+bL08SkMv3weXCkvRBoDOotZhvGL9oa9AMkm9U=; b=ivPh+oTw0ph6uQvC77HicltbJd xfXx1bRz/rZJa6jxNclcK3L/QCcVkSUYZWhSUVlPmqGbIPOO/r9pZ8Lb9F4FB4VpLL0WbLPkmab+n NtPMaBWt3Y1MUpxdG8aP2S8QyurE4fIF3rKeVzBmW6xd6ykv5of/uErW6AdCuF6+qhHk=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wF43m-00060u-DE for openvpn-devel@lists.sourceforge.net; Tue, 21 Apr 2026 05:54:11 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 63L5rwW6021727 for ; Tue, 21 Apr 2026 07:53:58 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 63L5rwRN021726 for openvpn-devel@lists.sourceforge.net; Tue, 21 Apr 2026 07:53:58 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 21 Apr 2026 07:53:50 +0200 Message-ID: <20260421055357.21708-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Max Fillinger Previously, when no valid groups were specified with the tls-groups option, the Mbed TLS build of OpenVPN would start up and run, but fail to complete a handshake, while the OpenSSL build would exit w [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1wF43m-00060u-DE Subject: [Openvpn-devel] [PATCH v1] Mbed TLS: Error out if we have no valid tls-groups X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1863058312304341484?= X-GMAIL-MSGID: =?utf-8?q?1863058312304341484?= From: Max Fillinger Previously, when no valid groups were specified with the tls-groups option, the Mbed TLS build of OpenVPN would start up and run, but fail to complete a handshake, while the OpenSSL build would exit with an error. This commit changes the behavior of the Mbed TLS build to match the OpenSSL version. Change-Id: Ica5f37e525c3812609021750ecd3986c1420e2a4 Signed-off-by: Max Fillinger Acked-by: Arne Schwabe Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1633 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1633 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 85c771a..8a0f7d2 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -450,6 +450,12 @@ } } + /* Check if any groups were valid. */ + if (i == 0) + { + msg(M_FATAL, "Error: All groups in \"%s\" are invalid or unsupported.", groups); + } + /* Recent mbedtls versions state that the list of groups must be terminated * with 0. Older versions state that it must be terminated with MBEDTLS_ECP_DP_NONE * which is also 0, so this works either way. */