From patchwork Sun Mar 22 11:12:01 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4848 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:8796:b0:83c:d90d:321 with SMTP id cq22csp307691mab; Sun, 22 Mar 2026 04:12:23 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCURzIhZZOjWgdJ6NPZ6z1V0LjczyIuYsYP10JKKB+rzxNe13eMJgBe1i3ZzGdCl5sNVTbgRj85TX7Q=@openvpn.net X-Received: by 2002:a05:6820:f02f:b0:67b:a702:a077 with SMTP id 006d021491bc7-67c22f4eb45mr6099788eaf.34.1774177943633; Sun, 22 Mar 2026 04:12:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774177943; cv=none; d=google.com; s=arc-20240605; b=YgfJ5ZrhlxEP7fy01o0n1qgr0SHlE7BySXT62VAVeK31fm8JJ4SAVLR2/LNkFRYZje MpI3NtsIOW4FBkfBx3bP90OIbn2gVd0DdWUGGnkhZyJjTYSHPd2/HGDcbSibp05mWLYl xEaSPlnYBGWnT0xiwdJiDdCfP4C2ONtoBbySFRvWcnGruF59WXFcs3+BaAJRDWj/MbPI 51GOE36gpN/GwLl12IgPzLFjF6pq2lnXe5Kj5igsExRSpAXfXx5198qBk4PUas7zT8u/ Eu8+o8sKq5WJuj8OCbJPh7VUDZFHZpDj1h/SmQ2Rr7cfXC8bRk2hNKbc19iRX0o0K4FT OllQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=pnX1GPVgAnpI07047d5sw5jYK1xRRwdlVXL6MtVyLYo=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=ZiIHCpkWjvtin63uA42a+0mYY/8JrL0u6COWCuTXAu8xI8QZ51YVDq5bZZ4R1I8CWc +SoRtRwQ/D3DKCBpSIz+F7FgO8aA8ytoeiRgAnxGSLJ8X0DxKD9iGshR80jwlqilha5a 44tjm6cfI1jBGFwbTEJ0b5Iuc2SQubrnlzyxPMEBqUWQWi0Kd0JawEMGjOdrqgOk/qX0 CYcRRLlWjlEJ5n2ZKs0dCGvxFrkFTymYmALRttNaroSke8zTysGRf6NYxvXiPcyeeWVQ aarHMYFItjJJTTb1/MUPW0PCCe+Cld9VCqskjGASJEsYYlMzOuET8/Kg59YCMx1ImPWv dpHw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=NAY3d7GE; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=aF00mbaU; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=SC6w77eA; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 006d021491bc7-67c254474d5si3606367eaf.73.2026.03.22.04.12.23 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 22 Mar 2026 04:12:23 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=NAY3d7GE; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=aF00mbaU; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=SC6w77eA; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=pnX1GPVgAnpI07047d5sw5jYK1xRRwdlVXL6MtVyLYo=; b=NAY3d7GENVRDz/5aWYpP1XJujp zi0FG08kH6AtcgVYspzjJS82cg8cZCtxgTAUdRIhjXcUWKvrLkDudFA0/Xyd10wgsgJwW+F98yUg6 7oaIfswFb3hiBdsBuXP4PzLy1+CM5bSmLFOqZsV0W7N18uZ2CQptyEtw/zbjf3Q61W7s=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1w4GjE-0005uB-Ss; Sun, 22 Mar 2026 11:12:20 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1w4GjD-0005u4-Vh for openvpn-devel@lists.sourceforge.net; Sun, 22 Mar 2026 11:12:19 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=xzo7+dU1OvHj2VlJz82JiG/ATP7AkhBFBTlJVPG0VTE=; b=aF00mbaUAek+DLibkUDyXqS/di TsWeEFAHkvb/diZG1aKRGxzwn8bLucH/s4hxXFLqa+2xx5VQnE9VrSHFNHP5+mTUOK7oMC6xpnPzx 6CNwSfetJnI4O5fo3pfzoeTmlNLr/HljQgN2mATCn16/hBzNc7ble9w3ov6pR2mRp10k=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=xzo7+dU1OvHj2VlJz82JiG/ATP7AkhBFBTlJVPG0VTE=; b=SC6w77eAMYzKZyCosL6Xyh62WS Je5xFzW9eY+O4moC/6Q2pRz7V/4g9f+R04EcgSNfsYtK2useckY4ej/UqYto6FJMrWwVDXIF5upOc /rHUG1AuHTGODTaI7vctWeRY8Iu6WaCrol0cN4nycHN/opyFV6j8C4MfgrDMN3eogZzQ=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1w4GjC-0002aJ-Ro for openvpn-devel@lists.sourceforge.net; Sun, 22 Mar 2026 11:12:19 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 62MBC7kP008359 for ; Sun, 22 Mar 2026 12:12:07 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 62MBC7Ro008358 for openvpn-devel@lists.sourceforge.net; Sun, 22 Mar 2026 12:12:07 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Sun, 22 Mar 2026 12:12:01 +0100 Message-ID: <20260322111207.8346-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe SSL_CTX_set_security_level does nothing on AWS-LC and gives a deprecated warning on compile. It is better to give the user a warning than to effectively silently ignore it as well. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1w4GjC-0002aJ-Ro Subject: [Openvpn-devel] [PATCH v2] Do not support tls_ctx_set_cert_profile on AWS-LC X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1860360411724458745?= X-GMAIL-MSGID: =?utf-8?q?1860360411724458745?= From: Arne Schwabe SSL_CTX_set_security_level does nothing on AWS-LC and gives a deprecated warning on compile. It is better to give the user a warning than to effectively silently ignore it as well. Change-Id: I74841d3611c62d3c59fc839bc73a0c83ce025262 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1579 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1579 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 48cbaa8..a26663a 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -518,8 +518,9 @@ void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { -#if OPENSSL_VERSION_NUMBER > 0x10100000L \ - && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3060000fL) +#if OPENSSL_VERSION_NUMBER > 0x10100000L \ + && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3060000fL) \ + && !defined(OPENSSL_IS_AWSLC) /* OpenSSL does not have certificate profiles, but a complex set of * callbacks that we could try to implement to achieve something similar. * For now, use OpenSSL's security levels to achieve similar (but not equal) @@ -549,8 +550,8 @@ if (profile) { msg(M_WARN, - "WARNING: OpenSSL 1.1.0 and LibreSSL do not support " - "--tls-cert-profile, ignoring user-set profile: '%s'", + "WARNING: OpenSSL 1.1.0, AWS-LC and LibreSSL < 3.6.0 do not " + "support --tls-cert-profile, ignoring user-set profile: '%s'", profile); } #endif /* if OPENSSL_VERSION_NUMBER > 0x10100000L */