From patchwork Wed Jul 3 15:37:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3750 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:59c7:b0:57d:b2cb:6cf with SMTP id z7csp2856050may; Wed, 3 Jul 2024 08:37:47 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWq+JfZQyKZxRG0DsKpG+iQZIXKPbk/wpCw87rmSFihwki5eKrHOPcV/xYVRTlN2V0X/Mk3Wbe/t6oxPPV5tz5bj+squKY= X-Google-Smtp-Source: AGHT+IH6ppDAwEo05KontfS3QzxqsGtUSjRskbbQHaR5QQY82fqWAMZcn4RUB/pGaHXFRK3VkF/m X-Received: by 2002:a17:902:ec88:b0:1fa:ab25:f634 with SMTP id d9443c01a7336-1fadbd13592mr135847505ad.3.1720021066670; Wed, 03 Jul 2024 08:37:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1720021066; cv=none; d=google.com; s=arc-20160816; b=FlDrzCFbXOQnX4gtrPyV3EZbAd+SqB1mVpSAs30haiMPhuZFmdpPWnz3RYiN3tFm+X HYbwfROUxl5yyOyEzObXWq/vvUGbvP9l+IH0RckFsKbCV3TQkEv3cEJDj7ILDWpUWY6h CD8Yn8pbW9JhxBEGjVlymcGEFSBU3x+6LwSpr5bOpb3gz42TNpsksL+vJ2Z+InaUac5y 2OceFU2Y9w0vDCHN3O1N2Vf47fVSaQ5eFQeemqjK+6pp2STU+Y31cbWyiTqKh/AN3Cft nPK8eY6nzivNkpsb401kuD1Y+OZyMDIx5aQ03krMnkqqZCo9E0I/B4daMWZxLlg102sP nkdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=KMqNRzAvp/h7FJaFtgjqIOhoQP11qtWG6UmRSFTx1NI=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=Ek2hgmUs40P1hyJDL/HOTFnUqTxVT/ctLYgs5PNGTvC4ERRYE51Ool+VDoeOzh4A0Y xKuoNFptJ0HS0HqMZTpS6+lwmxFjQ61shHGXi1fq+OMCB4BfhEXX4WQ70ntChRvoOvHw ZKB+S7koKsR9iXmOHemus3YWPpTV+791NfMknNobEwD5YFLOH7UhA6cG71tBGjCzOy+m wdAJfNrutvr/oNVsyf9Vl1OoDwqIdOWAkm2nmDtHP3YrI1isQDtoqoVwu6ZNXVqV8Z+P XwX1Vsiklv8ItMJASUQ9/yYaR4OarCpdbcT6sEzuLokgXRGIKIAJVmZWQTqmFVfVqB2z aBKg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=TVeSYj9L; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WDG2YxlF; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=L3EiT9zy; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id d9443c01a7336-1fac10d219asi128378985ad.32.2024.07.03.08.37.46 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 Jul 2024 08:37:46 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=TVeSYj9L; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WDG2YxlF; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=L3EiT9zy; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1sP22m-0007YC-6k; Wed, 03 Jul 2024 15:37:16 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1sP22l-0007Y2-5Y for openvpn-devel@lists.sourceforge.net; Wed, 03 Jul 2024 15:37:15 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=g92RSY6Qj/sogJROvcDZFIWENRUk34IrgM+tx/hMSrQ=; b=TVeSYj9Li3CvWPj2Tf4X0srrrM y/ondYnD0rLtNHtNCUP/2LWDd9b/Kju9R3qXf2/b1FQgI9AxgB2D5CE0OCTKTH61hzJMMpnMMsteQ N1e3UsG8NOJgoFiIetKtzuCdknjiIZNoiL5IoMXWsGkioIrct82BeUTq7c7ktbdahOCQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=g92RSY6Qj/sogJROvcDZFIWENRUk34IrgM+tx/hMSrQ=; b=W DG2YxlFKSmyrgpCrjQ9yxFm0JPTRXSS7FOmJe73q5fNsLr4Rjk4zs/k/gPQ1I343FfwBm9jDY7MKj jcZD8u9Gjfdra1x/8klSd+xAb50NV5oAD37Y8H1xGLN/Qoy6RcsuDJ3Pjow+mSU6QgSHJmmCn2+Az 4s/h5dxZ4dw9tkyw=; Received: from mail-wm1-f46.google.com ([209.85.128.46]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1sP22l-0003F3-74 for openvpn-devel@lists.sourceforge.net; Wed, 03 Jul 2024 15:37:15 +0000 Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-425809eef0eso26240425e9.3 for ; Wed, 03 Jul 2024 08:37:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1720021023; x=1720625823; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=g92RSY6Qj/sogJROvcDZFIWENRUk34IrgM+tx/hMSrQ=; b=L3EiT9zykEVnzwpvo5KXBCbAeb4kgTLNaV5l1rpTHCIRBPRSWArQURyxjh+K0pNUjE WQzdKmHAnnSAOMGqyNvqvFO0r3Hp3lN17vBHo+1qNJUKdvqV9LicEDQMsp6M9rVuTru0 1PHTsPYY278jriL0SATWLXoJwZkDlIHYRUnnJKkIKLiezmToMvVfo3MaeJRh3aHMw7c5 v0AxMAWj3CTTMLY2uzNnjPqUcPDXVcumSzCIjoEBovoFpXSKcUpD0udon3bg3QaWQUFp jB5x4bVun6uZ1hNbWa5jlBZ5/Dzd5JpC040mbNj7VtfsqNixzpY9r+/6ajYfMbaDXk+l XjdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720021023; x=1720625823; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=g92RSY6Qj/sogJROvcDZFIWENRUk34IrgM+tx/hMSrQ=; b=wdvM2pGV2gSIzwpuK7lsBfrEdLvHD8VBjaBgk5CTlhwnb98QdqwhXqg0vCk63NveA1 0wcf2R+ZSQ5y9LQHaZUDOpRaqaet7+mMK+WEximdTdb11efZUjDGpaOPQEhA2vWpad+f Mlcq4ISjGhbh4JUzM5tLOxg57BCMU3yCgKmeyfsJS045VP7OVqwunmEgeG50eL6RWMBC MjblUUuIelV+ND1I4jheMdKVkzM4AlCNGTwy7z+eAgWggxJ+ez4Vf8UqehjS0bLIoLJN XPqNlHhbDGYgFFyrgTpRY2alLJsawjEALYpldAfyGzavTdnHL4JeldsNUo0kHoTITj9G Sowg== X-Gm-Message-State: AOJu0YzU7Xqzjj404bDwbiQ9zyLn6bjgTTShsDBushMXzsc4RD78IpEN KiPBm+T8OVBw8Vsnrndw711IpaZsKKcscvtw1bIAHt8VnHlEokuFISGJZOrFMMKajRGowafhh/r t X-Received: by 2002:a05:600c:4b1a:b0:425:618b:3a4a with SMTP id 5b1f17b1804b1-4257a0642d4mr81370115e9.25.1720021022963; Wed, 03 Jul 2024 08:37:02 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-36791d7a93bsm2271203f8f.81.2024.07.03.08.37.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Jul 2024 08:37:02 -0700 (PDT) From: "MaxF (Code Review)" X-Google-Original-From: "MaxF (Code Review)" X-Gerrit-PatchSet: 1 Date: Wed, 3 Jul 2024 15:37:02 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Ibc641388d8016533c94dfef3618376f6dfa91f4e X-Gerrit-Change-Number: 684 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: dfef227610fa2777220946590a39078566d20339 References: Message-ID: MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [209.85.128.46 listed in list.dnswl.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.128.46 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.128.46 listed in sa-trusted.bondedsender.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.46 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1sP22l-0003F3-74 Subject: [Openvpn-devel] [XS] Change in openvpn[master]: mbedtls: Warn if --tls-version-min is too low X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: max@max-fillinger.net, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1803572809718904716?= X-GMAIL-MSGID: =?utf-8?q?1803572809718904716?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/684?usp=email to review the following change. Change subject: mbedtls: Warn if --tls-version-min is too low ...................................................................... mbedtls: Warn if --tls-version-min is too low Recent versions of mbedtls only support TLS 1.2. When the minimum version is set to TLS 1.0 or 1.1, log a warning and use 1.2 as the actual minimum version. Change-Id: Ibc641388d8016533c94dfef3618376f6dfa91f4e Signed-off-by: Max Fillinger --- M src/openvpn/options.c 1 file changed, 9 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/84/684/1 diff --git a/src/openvpn/options.c b/src/openvpn/options.c index dbe1425..64e67aa 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8942,6 +8942,15 @@ msg(msglevel, "unknown tls-version-min parameter: %s", p[1]); goto err; } + +#ifdef ENABLE_CRYPTO_MBEDTLS + if (ver < TLS_VER_1_2) + { + msg(M_WARN, "--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]); + ver = TLS_VER_1_2; + } +#endif + options->ssl_flags &= ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT); options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);