From patchwork Wed Oct 4 03:38:39 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bernhard Schmidt X-Patchwork-Id: 9 X-Patchwork-Delegate: steffan@karger.me Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director2.mail.ord1d.rsapps.net ([172.30.157.8]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id iOcKC5Dy1FlhYQAAgoeIoA for ; Wed, 04 Oct 2017 10:39:12 -0400 Received: from proxy2.mail.ord1c.rsapps.net ([172.28.140.2]) by director2.mail.ord1d.rsapps.net (Dovecot) with LMTP id IFLPHrHW01moEwAAgYhSiA ; Wed, 04 Oct 2017 10:39:12 -0400 Received: from smtp39.gate.ord1a ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.ord1c.rsapps.net (Dovecot) with LMTP id F4bKCEbq1FkHfQAA311kuQ ; Wed, 04 Oct 2017 10:39:12 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-298-1213-1430-w 0-298-1213-1794-w 0-298-0-9287-f X-CMAE-Scan-Result: 0 X-CNFS-Analysis: v=2.2 cv=cNCiiRWN c=1 sm=1 tr=0 a=Q8DxjiC8O3VT/NpP1XjEZQ==:117 a=Q8DxjiC8O3VT/NpP1XjEZQ==:17 a=02M-m0pO-4AA:10 a=WiVod9pSvdkA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=xNf9USuDAAAA:8 a=MlG-5r9WJ9sX_1kwFC8A:9 a=QEXdDO2ut3YA:10 a=3MMbnXI1VjMxj3UfATEA:9 a=QgN3AfaL7tL2uoo4:21 a=UWbh7AZRbp8lLTZG:21 a=CdiWusdWvyIA:10 a=9sSjY8p1AAAA:8 a=P_JWiMecAAAA:8 a=Rl0w98V0Q82ZLrlrn6IA:9 a=CjuIK1q_8ugA:10 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=FP58Ms26AAAA:8 a=-jli9x3zI_mR8X_O0lMA:9 a=SEwjQc04WA-l_NiBhQ7s:22 a=ub54wNWiXv_DzeFsgEJW:22 a=D0-HAvA3Hk9NMREbgwuX:22 X-Orig-To: justin@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp39.gate.ord1a.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=birkenwald.de; dmarc=none (p=nil; dis=none) header.from=birkenwald.de X-Classification-ID: c9a36b42-a911-11e7-84dd-0024e8697a68-1-1 Received: from [216.34.181.88] ([216.34.181.88:28887] helo=lists.sourceforge.net) by smtp39.gate.ord1a.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 35/69-05599-092F4D95; Wed, 04 Oct 2017 10:39:12 -0400 Received: from localhost ([127.0.0.1] helo=sfs-ml-4.v29.ch3.sourceforge.com) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1dzkoz-000636-Im; Wed, 04 Oct 2017 14:38:49 +0000 Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.89) (envelope-from ) id 1dzkoy-000630-Nb for openvpn-devel@lists.sourceforge.net; Wed, 04 Oct 2017 14:38:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:Date:Message-ID:Cc:To:Subject:From; bh=famEoA64L7o8g/456xgmkTv6fmM+CXF9sVXgrQfOClo=; b=OCIMpUGVn/Q+fwQMVDCxIicskqry0tlf1w+iUY5gKS64MUqArmS7FF2lSHGies+KjoddaSYMTdpP8Y9E0rtbRzu9LJZR/Mbsk2vSMj4IStVT5m14l/t4uvfCi74MqPL2nEdy6XIP7jXsJHr+CooJ1sbOv5rwKykONh2AxeNXj5s=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x; h=Content-Type:MIME-Version:Date:Message-ID:Cc:To:Subject:From; bh=famEoA64L7o8g/456xgmkTv6fmM+CXF9sVXgrQfOClo=; b=QkqkRN/V/Izzpzafsw45gbmppRip5iwqV0mA5z9jxYW9OhcS5v7d0XN15ucYmhlz8muqSgTi4eeTTzd1OZpaB+0ZAKZeWSvRNM0tTY9ODtR2dx3cxZ6Eu++SONS/W3KtD00F8uzYADEzZ8BFFZezavW9+t8feQqB/gaH/ulMpf4=; Received: from mail.svr02.mucip.net ([83.170.6.69] helo=mailout.mucip.net) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) id 1dzkox-0003dp-MD for openvpn-devel@lists.sourceforge.net; Wed, 04 Oct 2017 14:38:48 +0000 Received: from localhost (mail.svr02.mucip.net [127.0.0.1]) by mailout.mucip.net (Postfix) with ESMTP id 0813D7B3; Wed, 4 Oct 2017 16:38:41 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=birkenwald.de; h= content-language:content-type:content-type:mime-version :user-agent:date:date:message-id:subject:subject:from:from :received; s=mailout; t=1507127920; bh=98zg/CxT1/ZbTBoeyhyHD0jnt /RHyIqpf/OqxoGmMO0=; b=GLulb2KKKlnF92owcp+2M4V4W3RsEswfEsySWwsQs xfHgoMb29bHer73w+6Qy/t1yA//DVfftJ2fN/F1UtgoCEeKjPZHAWuBN+Lz6jKes UlR5FKrYQ1V0TcGn9Sw0AVrU5uZymqH9JCcEhBljn8FhNXhCENztotNsAcglFrjy gc= Received: from mailout.mucip.net ([127.0.0.1]) by localhost (mail.svr02.mucip.net [127.0.0.1]) (amavisd-new, port 10125) with ESMTP id v_F09wINozDn; Wed, 4 Oct 2017 16:38:40 +0200 (CEST) X-Submitted: to mailout.mucip.net (Postfix) with ESMTPSA id D5E3E664 From: Bernhard Schmidt To: openvpn-devel@lists.sourceforge.net Message-ID: <80e6b449-c536-dc87-7215-3693872bce5a@birkenwald.de> Date: Wed, 4 Oct 2017 16:38:39 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 Content-Language: de-LU X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1dzkox-0003dp-MD Subject: [Openvpn-devel] [PATCH] openssl 1.1 tls version support X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kurt Roeckx Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Hi, in https://bugs.debian.org/873302 Kurt Roeckx (Debian OpenSSL maintainer) submitted a patch for OpenVPN to properly set the minimum and maximum TLS version. On Debian Buster (current development) OpenSSL 1.1 defaults to TLSv1.2+ only. I'm unwilling to carry crypto specific patches in Debian. Can anyone make some sense out of this and apply the patch if possible? Please keep Kurt CCed and direct any questions to him. Bernhard ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot --- src/openvpn/ssl_openssl.c.bak 2017-08-26 13:10:40.333428825 +0200 +++ src/openvpn/ssl_openssl.c 2017-08-26 13:12:05.143672978 +0200 @@ -215,6 +215,19 @@ #endif } +/* convert internal version number to openssl version number */ +static int +openssl_tls_version(int ver) +{ + if (ver == TLS_VER_1_0) + return TLS1_VERSION; + else if (ver == TLS_VER_1_1) + return TLS1_1_VERSION; + else if (ver == TLS_VER_1_2) + return TLS1_2_VERSION; + return 0; +} + void tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) { @@ -232,6 +245,17 @@ tls_ver_max = (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK; + +#if OPENSSL_VERSION_NUMBER >= 0x10100000 + if (tls_ver_min <= TLS_VER_UNSPEC) + { + SSL_CTX_set_min_proto_version(ctx->ctx, openssl_tls_version(tls_ver_min)); + } + if (tls_ver_max <= TLS_VER_UNSPEC) + { + SSL_CTX_set_max_proto_version(ctx->ctx, openssl_tls_version(tls_ver_max)); + } +#else /* OPENSSL_VERSION_NUMBER >= 0x10100000*/ if (tls_ver_max <= TLS_VER_UNSPEC) { tls_ver_max = tls_version_max(); @@ -253,6 +277,7 @@ sslopt |= SSL_OP_NO_TLSv1_2; } #endif +#endif /* OPENSSL_VERSION_NUMBER */ #ifdef SSL_OP_NO_COMPRESSION /* Disable compression - flag not available in OpenSSL 0.9.8 */ sslopt |= SSL_OP_NO_COMPRESSION;