From patchwork Thu Mar 27 11:33:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4198 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:81e:b0:60a:d70a:d3c7 with SMTP id jj30csp3761899mab; Thu, 27 Mar 2025 04:34:34 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXOOGd5vPYImgqEzyPkpDF67j5nIAIuRc0/Arrk675rxoBsSTY0Sj7MQOwbRdNas/OJs3GyvbGOnBw=@openvpn.net X-Google-Smtp-Source: AGHT+IGKWA2sY0MYBgGD+GstNLIzIUV+Aj7IJbbIbUMF9XDrRa523OLRrOO5JK1olKfa1uXfHBXQ X-Received: by 2002:a05:6e02:4401:20b0:3d1:4a69:e58f with SMTP id e9e14a558f8ab-3d5c20b2c25mr71755465ab.2.1743075274471; Thu, 27 Mar 2025 04:34:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1743075274; cv=none; d=google.com; s=arc-20240605; b=O1ABpPNBsrQCz8jg3Se5yIvz1AGZTEEQzSBVkoDPkvZ4foLq2Z5FCkvqg011JfmkqL rlTyR4dssJClUeRPH1HTkZt5C5IztjakXT0RiVKOiolwKzqpEOshENakHvRYqHWUD+/T 2AV+KidXByv1uA12AvFl7pZal3HK6an/Ix6ok4UGdJj9LxiFyK4vzAvJgt2rb5yMfk16 78wX5VQdXh8dbqhI6gqAHnGIJQvO7f6KWgQpN4APybjWvIRXHRJuABVivxiJJgzeRs8R JOFvpHSJijk+k+bTAd/q2oN9uZlbb4HOcEsazoTdAmy+k+CEjAapIASoBo/yZhY2JA5W yO3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=gpg6w+iqfBHacuDG61jZPAkbYQQraWy6qcxyQ2jR6cc=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=SXRdeeTA9rHq9jYGpofj25XdGWg6Z7budUVJafKEOb2tAPz8zSsQD6MtgrKBN4eTk/ pQBmqXTqlrJLT+cyD0/q4gnm2hizYoRFE0FHk+J9V8MzhArLUYy0EPXWnS64DG8790wz Id64Jrv14geSEdCBrISmGbaGRRJ7au2SGs16B/EZJ4JrYnN+kB1JQI6FNfVj5wwaJj0u zhQV3GxdYGtIvt8yjNeNvtuKt2CCQzFx7nxq87X2PPm/Xx0DdvkeAzDbmaCoLK/Umf9m Ed/hdyYOFXK+/XtEBRSy/gW1unIvYnjFQTbvG5N+MzfjhwleUdwYeAyY+boPBenDrBZS 5sCg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="Dj2rt/uh"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Fpthug3y; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 8926c6da1cb9f-4f2cbefad2asi13851937173.95.2025.03.27.04.34.34 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 27 Mar 2025 04:34:34 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="Dj2rt/uh"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Fpthug3y; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1txlVI-00068R-59; Thu, 27 Mar 2025 11:34:32 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1txlVB-00068F-32 for openvpn-devel@lists.sourceforge.net; Thu, 27 Mar 2025 11:34:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zj9CJ4yl+BRhUFjySzKinlx3zGdTknTj6QbdhqS1bA0=; b=Dj2rt/uhXP0tHVuOY/Us+DNyOP qphAuNFDhTTymXTxQ049IQZYE1sESoqeIY3HWVVxbKwkyBlIPWSOFcql7L/1PRkg6sHv10AFjsskk 9qzqfd9EkNojCBtrwxBO0d5Ts+6zbNXIBunia98WBnBfgbey+gZGVpkp5lLqHQDScvWw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zj9CJ4yl+BRhUFjySzKinlx3zGdTknTj6QbdhqS1bA0=; b=Fpthug3ySuLnhkGWmE5vvVvwIb pZqlIdhDMs+HStp+5wbTZcnx0nDJ0HbJa9uK9dWMse/oT2hzNgbBYPIlfwCGAczXN0R5REyf1lx5/ 0mAJIXCp6qAlSe+fP01xDf1KmZOVgkH6Vc7W6RRQ8maFMmcOOJo6vKJA07bOIfmrohzE=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1txlUx-0001Cd-35 for openvpn-devel@lists.sourceforge.net; Thu, 27 Mar 2025 11:34:23 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 52RBXwVS011312 for ; Thu, 27 Mar 2025 12:33:58 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 52RBXwSg011311 for openvpn-devel@lists.sourceforge.net; Thu, 27 Mar 2025 12:33:58 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 27 Mar 2025 12:33:50 +0100 Message-ID: <20250327113356.11233-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld From release notes: In TLS clients, if mbedtls_ssl_set_hostname() has not been called, mbedtls_ssl_handshake() now fails with MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME if certificate-b [...] Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-Headers-End: 1txlUx-0001Cd-35 Subject: [Openvpn-devel] [PATCH v3] Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+ X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1827746899235100996?= X-GMAIL-MSGID: =?utf-8?q?1827746899235100996?= From: Frank Lichtenheld From release notes: In TLS clients, if mbedtls_ssl_set_hostname() has not been called, mbedtls_ssl_handshake() now fails with MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME if certificate-based authentication of the server is attempted. This is because authenticating a server without knowing what name to expect is usually insecure. To restore the old behavior, either call mbedtls_ssl_set_hostname() with NULL as the hostname [...] Change-Id: I8bbb6ffdac7d0029dbf3c13e62c11b61813c15ef Signed-off-by: Frank Lichtenheld Acked-by: MaxF --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/918 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): MaxF diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 92b52fe..e15c391 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -1246,6 +1246,10 @@ ALLOC_OBJ_CLEAR(ks_ssl->ctx, mbedtls_ssl_context); mbedtls_ssl_init(ks_ssl->ctx); mbed_ok(mbedtls_ssl_setup(ks_ssl->ctx, ks_ssl->ssl_config)); + /* We do verification in our own callback depending on the + * exact configuration. We do not rely on the default hostname + * verification. */ + ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL))); #if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB /* Initialize keying material exporter, new style. */