From patchwork Tue Jun 18 12:02:19 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gert Doering <gert@greenie.muc.de>
X-Patchwork-Id: 3736
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:a68e:b0:57d:b2cb:6cf with SMTP id
 hn14csp2106408mab;
        Tue, 18 Jun 2024 05:02:48 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCUdc4FQMWaEFr12P5kwzxM/b5MY6XpVp7RaM6gz/+KXVJ1NVukmfRPZumuLr92yybBJ+1hFNo7haW7D+buNPmvlqWq5Zmk=
X-Google-Smtp-Source: 
 AGHT+IEFZ9Q1rNqNJeWvUky85hPmqqEo4I496zzv2nkhPgML6Q6LPq9/k2rAWdNSVYffcS5NtCgE
X-Received: by 2002:a05:6a21:6d9e:b0:1af:cd45:59a9 with SMTP id
 adf61e73a8af0-1bae7e1cf3emr14448816637.2.1718712168085;
        Tue, 18 Jun 2024 05:02:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1718712168; cv=none;
        d=google.com; s=arc-20160816;
        b=OsnW0uNkPfrffVS7B3806+HMug0HpHAmyqcgTuMx6ThcsoqK8ME5JkRoMBGDMJ+Xtp
         Y4TB3akU8M0aa9Ou9OFLQBoF0Wxk/w2oOoXKXqGbhjInqFfhvH0kcjPY+/Oaaji5Pbh7
         OvCbzYef1U4HG7UQiM7gfozOlTgcECIHcZ9Wvqk2GuhOd/ySWV7JQ9chToMH9HDibKva
         pDRZjMYEv3aQNqMJR/KA4vBkLqfhcoqp7YLE3EmYyAyx2XJ9xgbDqKP7iffyGHyrY4uA
         E3YCqfWrspW+XrD+PDfFzmklbiM+KwC5IviMvn5XJgK9l8KzFVgugTN2bKJnQ58Txz8H
         QgUg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=T0Cd8acBYiBKOhEMg1AHLObA0QYHstSLMhhKjbw/iGo=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=VxpZbiruPiVRG3vBeXeJDcRWbeQpOZ0BP5B2M+T2gbFK0nTkYYua9R557ZcVrX/NQj
         7qqktd+Mp3JbrRqrhqiRopn6TW2Fq5waXUJLCG9ZyJg4KGVq4L4QGaTjQ0aL8S4s8X/v
         fmKVhClsKnpYIw/qWz6KDSW5xZvFmBdb5yn44D9sFnNkqfCEFSs7rMBokAk+8GwoEUN2
         dNBXqykl2CHfgZyP1mDb1345DSKnAPPxIJ/8qbGDFHRRIazNc2o0I1x8tbRvev/jxdqh
         QPnA6qlWeeGH4COcSx6nQ6vU9Uu88BeI6m3vA/w5x4092lXnhQyqrw/3mVcctXUqmGXZ
         nggg==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=Ok+BLR47;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=H7boCXCO;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 41be03b00d2f7-6fee5496a93si11598919a12.661.2024.06.18.05.02.47
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 18 Jun 2024 05:02:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=Ok+BLR47;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=H7boCXCO;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1sJXXh-0003wu-Np;
	Tue, 18 Jun 2024 12:02:30 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gert@blue.greenie.muc.de>) id 1sJXXg-0003wk-2v
 for openvpn-devel@lists.sourceforge.net;
 Tue, 18 Jun 2024 12:02:28 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=Jrb3dOTgYsPBENe7hAtHaV22Pu9sSa63ruoYN1ZP748=; b=Ok+BLR47yH6OaNW+TdjLw3LJqj
 5m8UnxgZq5OpekWjJv5cYDw4iB/axFkKrXwClsNZlWoVUgj7GiFGb4r/0xTfgAYq4xuqyacrSOyTV
 AQPePm1eaKrzg0BkzS5+ZNxOELweLucSbu+f7DIIQy13eFcPMRe5JkAinwZcjIaAB988=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=Jrb3dOTgYsPBENe7hAtHaV22Pu9sSa63ruoYN1ZP748=; b=H7boCXCORaR/BUmigI5qSIOokB
 MLQq0xr3m12wjHsv0kLbHrMnQPzyvt9f+YgydQl9FjeI/VgbU1Xo0beOmS0S+NEsN33FLV/keCyDS
 /oVFbYMpY4DFDkNf8V8CN0pxJtEGSxotysnVlTL65lNlrvzHBVxg91yz6AdeHPwq6rNY=;
Received: from dhcp-174.greenie.muc.de ([193.149.48.174]
 helo=blue.greenie.muc.de)
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1sJXXf-000661-DV for openvpn-devel@lists.sourceforge.net;
 Tue, 18 Jun 2024 12:02:27 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
 by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 45IC2KcD005095
 for <openvpn-devel@lists.sourceforge.net>; Tue, 18 Jun 2024 14:02:20 +0200
Received: (from gert@localhost)
 by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 45IC2KKp005094
 for openvpn-devel@lists.sourceforge.net; Tue, 18 Jun 2024 14:02:20 +0200
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 18 Jun 2024 14:02:19 +0200
Message-ID: <20240618120219.5053-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.44.1
In-Reply-To: 
 <gerrit.1718364874000.Ia3883a26ac26df6bbb5353fb074a2e0f814737be@gerrit.openvpn.net>
References: 
 <gerrit.1718364874000.Ia3883a26ac26df6bbb5353fb074a2e0f814737be@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: -0.0 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 Recent
 versions of mbedtls have dropped support for TLS 1.0 and 1.1. Rather than
 checking which versions are supported, drop support for everything before
 1.2. Content analysis details:   (-0.0 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
 blocked.  See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information. [URIs: openvpn.net]
 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The
 query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [193.149.48.174 listed in sa-trusted.bondedsender.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
 query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [193.149.48.174 listed in bl.score.senderscore.com]
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Headers-End: 1sJXXf-000661-DV
Subject: [Openvpn-devel] [PATCH v2] mbedtls: Remove support for old TLS
 versions
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1802200330407557475?=
X-GMAIL-MSGID: =?utf-8?q?1802200330407557475?=

From: Max Fillinger <maximilian.fillinger@foxcrypto.com>

Recent versions of mbedtls have dropped support for TLS 1.0 and 1.1.
Rather than checking which versions are supported, drop support for
everything before 1.2.

Change-Id: Ia3883a26ac26df6bbb5353fb074a2e0f814737be
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/682
This mail reflects revision 2 of this Change.

Acked-by according to Gerrit (reflected above):
Arne Schwabe <arne-openvpn@rfc2549.org>

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index a68588e..ec9ec13 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -1040,12 +1040,8 @@
 {
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
     return TLS_VER_1_2;
-#elif defined(MBEDTLS_SSL_PROTO_TLS1_1)
-    return TLS_VER_1_1;
-#elif defined(MBEDTLS_SSL_PROTO_TLS1)
-    return TLS_VER_1_0;
 #else /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
-    #error "mbedtls is compiled without support for TLS 1.0, 1.1 and 1.2."
+    #error "mbedtls is compiled without support for TLS 1.2."
 #endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
 }
 
@@ -1067,20 +1063,6 @@
 
     switch (tls_ver)
     {
-#if defined(MBEDTLS_SSL_PROTO_TLS1)
-        case TLS_VER_1_0:
-            *major = MBEDTLS_SSL_MAJOR_VERSION_3;
-            *minor = MBEDTLS_SSL_MINOR_VERSION_1;
-            break;
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
-        case TLS_VER_1_1:
-            *major = MBEDTLS_SSL_MAJOR_VERSION_3;
-            *minor = MBEDTLS_SSL_MINOR_VERSION_2;
-            break;
-#endif
-
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
         case TLS_VER_1_2:
             *major = MBEDTLS_SSL_MAJOR_VERSION_3;