| Message ID | 7a28bedac4ce2e50fb3c3504c97b7fd91f6cddd3-HTML@gerrit.openvpn.net |
|---|---|
| State | Superseded |
| Headers | show
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:53c1:b0:f2:62eb:61c1 with SMTP id u1csp573624dye;
Tue, 21 Nov 2023 10:19:46 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IEAIHOiIJaIMj6TxBqd+wF8ds5uL9qLBvx6AHZRPCgE9XYwt4GpKWm3p9uRoWct47wC4Ejj
X-Received: by 2002:a17:902:e891:b0:1ce:66f0:72c7 with SMTP id
w17-20020a170902e89100b001ce66f072c7mr13860113plg.4.1700590786251;
Tue, 21 Nov 2023 10:19:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1700590786; cv=none;
d=google.com; s=arc-20160816;
b=CieJGvJ98nLCWTb+g+sQQi4dwTnWYtJKsZvyGNxv4jaZ5Ho5QmUAKhu9AB9vL6LCAZ
LOuDiZqlm6Gi8m6nVhaoDOJZqaUzTqoCKmkNzgguqsAB7G9M107nKhEH/BZUpL5dJaU3
BFfcjRPQpKZnZv9mD4QEtD0vF/QYFBSceuBiazfNA6rPDMZAv1XoOD842m1p1Ve9zxY4
GSSKlQXvRUQQAcHjiC3Frvg5chN+3emDsToxw6kUjrZY37SVXjPrwCTxmtfxkGGilL8n
Sw/9+InNAq3pnS2YCpkWTcrOGq1R4dWU/u2GrBZPCjZjGjAy4aXjCbTkiO87+F43OWPe
YULA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=errors-to:cc:reply-to:list-subscribe:list-help:list-post
:list-archive:list-unsubscribe:list-id:precedence:subject:user-agent
:mime-version:message-id:references:auto-submitted:to:date:from
:dkim-signature:dkim-signature:dkim-signature;
bh=yLcJqMPtVe8G68sxBUTumZp1opU2fi+GNoMZCHXhA0I=;
fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=;
b=FiXsTIP5hgVa76Zec5h3lToEsrbGn6DmhZpEhcRbQB9kuM+vBjOpwbGDQxYrxDfu5z
KgI+rbxp13bssZ5eEkx2c6DFtp5aqE44pgedHLzSo+dlufgqfTVY5vHDSvgv8bx05Pr9
K2rA9w+Kf+FxZHrw7ORMNTtavZJuqJo3HwMsDB5e7wVCjLxLOzsNoU4+3BpR6jXrskce
2/SVfH3r6DkJ2RXePUvyar3iNyPPVJMHJqqSSeKw5xg8tsFtF0mwNz/bymiTJwfIcr++
dz38FyzYaClL+oFxyN3WS9cNjn7jro/0n2NxD2XvANj9LP0F3hePpiODz+5OD73Hag24
QhEg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=ZTvLNeD1;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=VsvOaEyE;
dkim=neutral (body hash did not verify) header.i=@openvpn.net
header.s=google header.b=Mc9XQGNx;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
u8-20020a17090341c800b001cf665a0922si3747714ple.468.2023.11.21.10.19.46
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Tue, 21 Nov 2023 10:19:46 -0800 (PST)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=ZTvLNeD1;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=VsvOaEyE;
dkim=neutral (body hash did not verify) header.i=@openvpn.net
header.s=google header.b=Mc9XQGNx;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1r5VKp-0008O9-Ji;
Tue, 21 Nov 2023 18:18:54 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <gerrit@openvpn.net>) id 1r5VKh-0008Nd-DQ
for openvpn-devel@lists.sourceforge.net;
Tue, 21 Nov 2023 18:18:46 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version
:Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:
From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From:
Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=ZzK75LjcAurjU58eIJw+IhSl3c1QWzLv6Z49u6Pi7+Q=; b=ZTvLNeD1lYBfFytmuqljD1Pb6o
3ISgB1L2z4h9maoqG3EAgVTDmEQmu6esmH4yY0rXFUP0q2Lw02pmTnrfDOflhFK4dFuPbUxmne1I9
gxBgqES0/yPmdnP85wPxqnePQFIiNEgUyTgqfpKQ+N/tpfEcs6AKm6QEhMzIZ5jZfiTk=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To:
References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID
:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:
Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post:
List-Owner:List-Archive; bh=ZzK75LjcAurjU58eIJw+IhSl3c1QWzLv6Z49u6Pi7+Q=; b=V
svOaEyET5oduQgEQEiBt8t5lyo24UAptnPCb84lZHUDn2XbYAoHoihRtg+UvRnpy5ZR/XgqWJRYOt
yiwbe6RGBItaupccSQSnLfI7W3cpMEwCCGg4K/cMeQGuy3PIHZUreaYhA3OP80F10GSv+dcD/6804
f521+6AjRb7KmSKU=;
Received: from mail-wr1-f43.google.com ([209.85.221.43])
by sfi-mx-1.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
id 1r5VKe-00C8Qz-AA for openvpn-devel@lists.sourceforge.net;
Tue, 21 Nov 2023 18:18:46 +0000
Received: by mail-wr1-f43.google.com with SMTP id
ffacd0b85a97d-32f7c44f6a7so3908757f8f.1
for <openvpn-devel@lists.sourceforge.net>;
Tue, 21 Nov 2023 10:18:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=openvpn.net; s=google; t=1700590717; x=1701195517;
darn=lists.sourceforge.net;
h=user-agent:content-disposition:content-transfer-encoding
:mime-version:message-id:reply-to:references:subject
:list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc
:subject:date:message-id:reply-to;
bh=ZzK75LjcAurjU58eIJw+IhSl3c1QWzLv6Z49u6Pi7+Q=;
b=Mc9XQGNx2ya9JBF8gOtxdBvO3zE67tq1qHi8OByyjDZRThIXKwNyRTqaH6GtppRuob
qo8PiSJqB/se4TGU+/2+VYqwR7FBclhFnVoP8Y1bjVYjvfp9Rl3hUj960qgnrh0GEW8A
/I5BGOobaztpcZhQLfLUfiMb1Gw0DWu+9nwaKTrW5G4Wz4eb4P7V2UXQIU/H/XUx1Uyh
oVFADG6jY1ooZOiUmpWSJft31sHeBPEceIzCiHwy6Ifr9sUBwC6gdycpQrboshHkabXe
vT5ib3DTgJp3917w9ETyv9sfWSsM4ZGLF7T9vOA/XEuuahaaA2lu7TTBRvcoo1/xmLbW
pH9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1700590717; x=1701195517;
h=user-agent:content-disposition:content-transfer-encoding
:mime-version:message-id:reply-to:references:subject
:list-unsubscribe:list-id:auto-submitted:cc:to:date:from
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=ZzK75LjcAurjU58eIJw+IhSl3c1QWzLv6Z49u6Pi7+Q=;
b=eWzqoNerarkjdWn2kHldS+k/6NEvQifKvdgJUD31YDqfMZu5Qtn9H+HCC4GcdThz3c
mZaurJxXCxbELmJHkjdcGMMP0U6EGSqwXn8GFwSyJLnx1dDOInwFSwO2BpOA00/fdX3i
4S8HEu8QF3v+IsVihPBIxutnsMaLCm8CpG82L7OkxT226us4IuWg4/ENZAVC1Jj6e407
Zx1ifv7DvpJEo/rdZWyJ3OwILDoSN5en/EZPF7vRhQpZcxVph5jX5TCMSD9FemohyHY0
eItIY1uRCXtI09cJS7RswqR4qXurNNF3NlM5GaFg9596Oic+oQ4aCUxuii3nSFkTitag
25Tw==
X-Gm-Message-State: AOJu0YzmyzHWtHu2jDnpCZCYzN90W2gskvQHtGcfbwhfJsAbJSuJBRkW
3KP8qy+X3VK3Co1BSzaXMfmKFZY49VYWfl8zdQ4=
X-Received: by 2002:a5d:64ab:0:b0:31a:d9bc:47a2 with SMTP id
m11-20020a5d64ab000000b0031ad9bc47a2mr7814820wrp.53.1700590717479;
Tue, 21 Nov 2023 10:18:37 -0800 (PST)
Received: from gerrit.openvpn.in
(ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78])
by smtp.gmail.com with ESMTPSA id
f3-20020a056000036300b003316ddedb6esm13291271wrf.22.2023.11.21.10.18.36
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 21 Nov 2023 10:18:37 -0800 (PST)
From: "plaisthos (Code Review)" <gerrit@openvpn.net>
X-Google-Original-From: "plaisthos (Code Review)" <gerrit@gerrit.openvpn.in>
X-Gerrit-PatchSet: 1
Date: Tue, 21 Nov 2023 18:18:36 +0000
To: flichtenheld <frank@lichtenheld.com>
Auto-Submitted: auto-generated
X-Gerrit-MessageType: newchange
X-Gerrit-Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3
X-Gerrit-Change-Number: 456
X-Gerrit-Project: openvpn
X-Gerrit-ChangeURL: <http://gerrit.openvpn.net/c/openvpn/+/456?usp=email>
X-Gerrit-Commit: 49075848c908990ac946f990ff65c3406878de05
References:
<gerrit.1700590714000.Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3@gerrit.openvpn.net>
Message-ID: <7a28bedac4ce2e50fb3c3504c97b7fd91f6cddd3-HTML@gerrit.openvpn.net>
MIME-Version: 1.0
User-Agent: Gerrit/3.8.2
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
running on the system "util-spamd-1.v13.lw.sourceforge.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Attention is currently required from: flichtenheld. Hello
flichtenheld, I'd like you to do a code review. Please visit
Content analysis details: (-0.2 points, 6.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
-0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[209.85.221.43 listed in wl.mailspike.net]
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
no trust [209.85.221.43 listed in list.dnswl.org]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily
valid
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted
Colors in HTML
-0.0 T_SCC_BODY_TEXT_LINE No description available.
X-Headers-End: 1r5VKe-00C8Qz-AA
Subject: [Openvpn-devel] [XS] Change in openvpn[master]: Extend the error
message when TLS 1.0 PRF fails
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net,
frank@lichtenheld.com
Cc: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Content-Type: multipart/mixed; boundary="===============2489218874312104581=="
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1783198684414475052?=
X-GMAIL-MSGID: =?utf-8?q?1783198684414475052?=
X-getmail-filter-classifier: gerrit message type newchange
|
| Series |
[Openvpn-devel,XS] Change in openvpn[master]: Extend the error message when TLS 1.0 PRF fails
|
expand
|
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 400230c..9817b2e 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1641,7 +1641,12 @@ { if (!generate_key_expansion_openvpn_prf(session, &key2)) { - msg(D_TLS_ERRORS, "TLS Error: PRF calcuation failed"); + msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system " + "might not support the old TLS 1.0 PRF calculation anymore or " + "the policy does not allow TLS1 PRF calculation anymore " + "(e.g. running in FIPS mode). The peer did not announce support " + "for the modern TLS Export feature that replaces the TLS 1.0" + "RPF (requires OpenVPN 2.6.x or higher)"); goto exit; } }
Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/456?usp=email to review the following change. Change subject: Extend the error message when TLS 1.0 PRF fails ...................................................................... Extend the error message when TLS 1.0 PRF fails This error will probably become more and more common in the future when more and more system will drop TLS 1.0 PRF support. We are already seeing people stumbling upon this (see GitHub issue #460) The current error messages TLS Error: PRF calcuation failed TLS Error: generate_key_expansion failed are not very helpful for people that do not have deep understanding of TLS or the OpenVPN protocol. Improve a on this message to give a normal user a chance to understand that the peer needs to be OpenVPN 2.6.x or newer. Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3 --- M src/openvpn/ssl.c 1 file changed, 6 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/56/456/1