From patchwork Sat Apr 4 07:23:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4869 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:d1c6:b0:83c:d90d:321 with SMTP id ly6csp333644mab; Sat, 4 Apr 2026 00:24:10 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVlGJcc+Oz6k1OHwW8bFtKuDWtmelZo4VTOaCdI6wOuMAzPyTxImIaeAUBTtgKN60DfKX47znxE3Oo=@openvpn.net X-Received: by 2002:a05:6871:3386:b0:417:633b:1222 with SMTP id 586e51a60fabf-4231009b5fdmr3069651fac.37.1775287450106; Sat, 04 Apr 2026 00:24:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1775287450; cv=none; d=google.com; s=arc-20240605; b=OOEUo96RTFk/rrR27tt9DVPueyhn0ZV2udOQ8sEui9CKzUw3f5AsX6A9DNe/SbcwGI q2efLE/FMrANdOPTl1M1fYqOI/hSWaEFcO9GnCoq4H5JBMFoVcYAh8aTePOrYHeMBnnL 1PQ3G3HDUwsalAI0FVu32tAa/kt+W+5vIjSQEVyIIxXBI8itPhU3aXepcqeDELMLmm8C YMT7KWv38n8lN6JR7psSmbZ2+wWNTWzme03EKvUuO2+Uem/XypMmXDDUJnDP/VXJr/9/ c+kjTFmeKyWMV0jbAr1KlI3H5UlqLdkBuyO5zsS6KSQvoPJx2MSI8vslImJkxKLcn0DA zcBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=qaZx1IZmCKme8TqLn7JENbNM9Qu9DR0IDBnqkKixcYA=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=DB66vYQyImc92FYGOzkvg6iLADS+RT7khbKM9RbnFCISy3OZ2f7NOOpyxiaZxS1297 cM8bQI51bjEB2jMp4vRxzN58mTXulaeeZFh6Xxk+le8Mge9sWhqm1NaiedpnAjng18FV 1qkV5R6i2OnhziSrbnfab8aMqZhrp3y4Pe7ijkNziemQwC3wVc67XUnz6qEE1VK7/LfQ 1cdbrPtFjUAZWCcgMOeeM8nWxRken9SgNW72lt/X/jR7F6tmnR9G3j0916m5ZvW1rGmj D1s6nwDRr4PCXbzf2pi/I3oTWLV+MgsCppnt1IH4N5tTViAnasfAejThitiDYgxb5d/U zFsg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="eTLD+/84"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=CI96YyCt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="JeSiSq/6"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-422eb44748csi7736684fac.279.2026.04.04.00.24.09 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 04 Apr 2026 00:24:09 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="eTLD+/84"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=CI96YyCt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="JeSiSq/6"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=qaZx1IZmCKme8TqLn7JENbNM9Qu9DR0IDBnqkKixcYA=; b=eTLD+/847ZJcDM4t//6FIEJnOo wCimbNH4qtKLr8O8jLQ36kAgFjdiDV3LfVQ5/+yfYJGx2OEsc0hynu2szTzjWWoFjsIFMVM6rFDde eOShVn74W0ZKJ5WlPnzYJMocBZdCMPRnWmyMIEmoiatUdwzw3lFFSFg7rsDrVS/Ba4Bw=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1w8vMO-0004pb-KT; Sat, 04 Apr 2026 07:24:01 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1w8vMD-0004pJ-EW for openvpn-devel@lists.sourceforge.net; Sat, 04 Apr 2026 07:23:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=77i56Z5lpolwlJslDT+AEoWJlkLk9p7AaUHq2LYkqTI=; b=CI96YyCt1Z6whCJ7fTUdQ46SU1 rpBOi2N8s3wMUSkqMG4K/0W/7yqPbIA5AD42Gp1nwHplDLthdmga9h3IXuBPcoFfZMIpYDIl/xSzA 2N3ZgA0sG0Kk5ZgIf1NCIQC8xVWLL1NFsbKEDfGNc+zGIsZSOXkAezsybgVwM8dwpbUI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=77i56Z5lpolwlJslDT+AEoWJlkLk9p7AaUHq2LYkqTI=; b=JeSiSq/6MwlwZHuqhhd5bAv2pC HM9S2LvJ2Eldp+M5tT8Jk4N/t5EPxPfHVSkncPZ/4d46G4NLXAXFsu9hxX4pN1VDestmx1ZiQ0vcl 9S6tS+yyNDhwJLdbkv4Q3d6oiodvVariVoCnq1rOtITWHrA6aRpPybiXPHdsg05wrSnk=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1w8vMD-0006zM-1W for openvpn-devel@lists.sourceforge.net; Sat, 04 Apr 2026 07:23:50 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 6347NatA030035 for ; Sat, 4 Apr 2026 09:23:36 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 6347NaAA030034 for openvpn-devel@lists.sourceforge.net; Sat, 4 Apr 2026 09:23:36 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Sat, 4 Apr 2026 09:23:30 +0200 Message-ID: <20260404072336.30014-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe The ASN_BIT_STRING object has become opaque in OpenSSL 4.0. So instead of accessing the internal, we have to use a method now to check these attributes. The bit counting in ASN.1 and of this method is a bit strange and it will count bits from the left instead of the right, so the previous mask of 0x80 for clients is now 0 and 0x40 for server is now 1. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1w8vMD-0006zM-1W Subject: [Openvpn-devel] [PATCH v6] Use ASN1_BIT_STRING_get_bit to check for netscape certificate usage X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1861523813135240925?= X-GMAIL-MSGID: =?utf-8?q?1861523813135240925?= From: Arne Schwabe The ASN_BIT_STRING object has become opaque in OpenSSL 4.0. So instead of accessing the internal, we have to use a method now to check these attributes. The bit counting in ASN.1 and of this method is a bit strange and it will count bits from the left instead of the right, so the previous mask of 0x80 for clients is now 0 and 0x40 for server is now 1. Change-Id: I77500d435f212a4bf42ee8cfca07d0285fe694f2 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1587 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1587 This mail reflects revision 6 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 08946cd..c70022f 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -609,22 +609,27 @@ if (usage == NS_CERT_CHECK_CLIENT) { /* - * Unfortunately, X509_check_purpose() does some weird thing that + * Unfortunately, X509_check_purpose() before OpenSSL 4.0 does some weird thing that * prevent it to take a const argument */ result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_CLIENT, 0) ? SUCCESS : FAILURE; - /* - * old versions of OpenSSL allow us to make the less strict check we used to - * do. If this less strict check pass, warn user that this might not be the - * case when its distribution will update to OpenSSL 1.1 + * Note that we did not check for netscape certificate type here but + * instead a general SSL/TLS client purpose. These nscert attributes + * might stop being accepted by TLS libraries in the future. + * Currently, OpenSSL 4.0 and aws-lc 1.9.0 still consider nscert client + * as acceptable. + * + * So in case that this check failed, we now check if this is caused + * by the check above no longer recognising nscert attributes. */ if (result == FAILURE) { ASN1_BIT_STRING *ns; ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); - result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE; + // bit 0 is to check if certificate is the client certificate + result = ASN1_BIT_STRING_get_bit(ns, 0) ? SUCCESS : FAILURE; if (result == SUCCESS) { msg(M_WARN, "X509: Certificate is a client certificate yet it's purpose " @@ -637,22 +642,27 @@ if (usage == NS_CERT_CHECK_SERVER) { /* - * Unfortunately, X509_check_purpose() does some weird thing that + * Unfortunately, X509_check_purpose() before OpenSSL 4.0 does some weird thing that * prevent it to take a const argument */ result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_SERVER, 0) ? SUCCESS : FAILURE; /* - * old versions of OpenSSL allow us to make the less strict check we used to - * do. If this less strict check pass, warn user that this might not be the - * case when its distribution will update to OpenSSL 1.1 + * Note that we did not check for netscape certificate type here but + * instead a general SSL/TLS server purpose. These nscert attributes + * might stop being accepted by TLS libraries in the future. + * Currently, OpenSSL 4.0 and aws-lc 1.9.0 still consider nscert server + * as acceptable. + * + * So in case that this check failed, we now check if this is caused + * by the check above no longer recognising nscert attributes. */ if (result == FAILURE) { - ASN1_BIT_STRING *ns; - ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); - result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE; + ASN1_BIT_STRING *ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); + // Server bit is 1 for ASN1_BIT_STRING_get_bit + result = ASN1_BIT_STRING_get_bit(ns, 1) ? SUCCESS : FAILURE; if (result == SUCCESS) { msg(M_WARN, "X509: Certificate is a server certificate yet it's purpose "