@@ -8933,7 +8933,7 @@
ver = tls_version_parse(p[1], p[2]);
if (ver == TLS_VER_BAD)
{
- msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
+ msg(msglevel, "unknown or unsupported tls-version-min parameter: %s", p[1]);
goto err;
}
options->ssl_flags &=
@@ -8947,7 +8947,7 @@
ver = tls_version_parse(p[1], NULL);
if (ver == TLS_VER_BAD)
{
- msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
+ msg(msglevel, "unknown or unsupported tls-version-max parameter: %s", p[1]);
goto err;
}
options->ssl_flags &=
@@ -405,20 +405,21 @@
int
tls_version_parse(const char *vstr, const char *extra)
{
+ const int min_version = tls_version_min();
const int max_version = tls_version_max();
- if (!strcmp(vstr, "1.0") && TLS_VER_1_0 <= max_version)
+ if (!strcmp(vstr, "1.0") && min_version <= TLS_VER_1_0 && TLS_VER_1_0 <= max_version)
{
return TLS_VER_1_0;
}
- else if (!strcmp(vstr, "1.1") && TLS_VER_1_1 <= max_version)
+ else if (!strcmp(vstr, "1.1") && min_version <= TLS_VER_1_1 && TLS_VER_1_1 <= max_version)
{
return TLS_VER_1_1;
}
- else if (!strcmp(vstr, "1.2") && TLS_VER_1_2 <= max_version)
+ else if (!strcmp(vstr, "1.2") && min_version <= TLS_VER_1_2 && TLS_VER_1_2 <= max_version)
{
return TLS_VER_1_2;
}
- else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version)
+ else if (!strcmp(vstr, "1.3") && min_version <= TLS_VER_1_3 && TLS_VER_1_3 <= max_version)
{
return TLS_VER_1_3;
}
@@ -117,6 +117,14 @@
int tls_version_max(void);
/**
+ * Return the minimum TLS version (as a TLS_VER_x constant)
+ * supported by current SSL implementation
+ *
+ * @return One of the TLS_VER_x constants (but not TLS_VER_BAD).
+ */
+int tls_version_min(void);
+
+/**
* Initialise a library-specific TLS context for a server.
*
* @param ctx TLS context to initialise
@@ -1049,6 +1049,16 @@
#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
}
+int
+tls_version_min(void)
+{
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ return TLS_VER_1_2;
+#else
+ #error "mbedtls is compiled without support for TLS 1.2."
+#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
+}
+
/**
* Convert an OpenVPN tls-version variable to mbed TLS format
*
@@ -231,6 +231,12 @@
#endif
}
+int
+tls_version_min(void)
+{
+ return TLS_VER_1_0;
+}
+
/** Convert internal version number to openssl version number */
static int
openssl_tls_version(int ver)
Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/683?usp=email to review the following change. Change subject: Check that tls-version-min is supported on startup ...................................................................... Check that tls-version-min is supported on startup After disabling TLS 1.0 and 1.1 in the mbedtls build, the client would error out during startup if tls-version-min was set to 1.0 or 1.1, but the server would start up and only error out when a client attempts to connect. This commit checks that tls-version-min is supported during startup so that both the client and server error out on startup. Change-Id: Ifc589854816842e46969a76e2845084b3aaa962f Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> --- M src/openvpn/options.c M src/openvpn/ssl.c M src/openvpn/ssl_backend.h M src/openvpn/ssl_mbedtls.c M src/openvpn/ssl_openssl.c 5 files changed, 31 insertions(+), 6 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/83/683/1