Your message dated Sun, 04 Mar 2018 21:52:21 +0000
with message-id <[email protected]>
and subject line Bug#873302: fixed in openvpn 2.4.5-1
has caused the Debian Bug report #873302,
regarding openvpn: openssl 1.1 tls version support
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
873302: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873302
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openvpn
Version: 2.4.3-4
Severity: important
Tags: patch
Hi,
The attached patch add supports for the new way of setting up the
minimum and maximum supported TLS version in OpenSSL.
This is marked as important because if you switch to openssl 1.1.0
the defaults minimum version in Debian is currently TLS 1.2 and
you can't override it with the options that you're currently using
(and are deprecated).
Kurt
--- src/openvpn/ssl_openssl.c.bak 2017-08-26 13:10:40.333428825 +0200
+++ src/openvpn/ssl_openssl.c 2017-08-26 13:12:05.143672978 +0200
@@ -215,6 +215,19 @@
#endif
}
+/* convert internal version number to openssl version number */
+static int
+openssl_tls_version(int ver)
+{
+ if (ver == TLS_VER_1_0)
+ return TLS1_VERSION;
+ else if (ver == TLS_VER_1_1)
+ return TLS1_1_VERSION;
+ else if (ver == TLS_VER_1_2)
+ return TLS1_2_VERSION;
+ return 0;
+}
+
void
tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
{
@@ -232,6 +245,17 @@
tls_ver_max =
(ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+ if (tls_ver_min <= TLS_VER_UNSPEC)
+ {
+ SSL_CTX_set_min_proto_version(ctx->ctx, openssl_tls_version(tls_ver_min));
+ }
+ if (tls_ver_max <= TLS_VER_UNSPEC)
+ {
+ SSL_CTX_set_max_proto_version(ctx->ctx, openssl_tls_version(tls_ver_max));
+ }
+#else /* OPENSSL_VERSION_NUMBER >= 0x10100000*/
if (tls_ver_max <= TLS_VER_UNSPEC)
{
tls_ver_max = tls_version_max();
@@ -253,6 +277,7 @@
sslopt |= SSL_OP_NO_TLSv1_2;
}
#endif
+#endif /* OPENSSL_VERSION_NUMBER */
#ifdef SSL_OP_NO_COMPRESSION
/* Disable compression - flag not available in OpenSSL 0.9.8 */
sslopt |= SSL_OP_NO_COMPRESSION;
--- End Message ---
--- Begin Message ---
Source: openvpn
Source-Version: 2.4.5-1
We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <[email protected]> (supplier of updated openvpn package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 04 Mar 2018 22:23:47 +0100
Source: openvpn
Binary: openvpn
Architecture: source
Version: 2.4.5-1
Distribution: unstable
Urgency: medium
Maintainer: Bernhard Schmidt <[email protected]>
Changed-By: Bernhard Schmidt <[email protected]>
Description:
openvpn - virtual private network daemon
Closes: 873302
Changes:
openvpn (2.4.5-1) unstable; urgency=medium
.
* New upstream version 2.4.5 (Closes: #873302)
* Fix wrong Bug# in previous changelog
* Change Vcs-* to salsa (gitlab)
Checksums-Sha1:
e8f1d0562382cc05a190abd44bc41acdb336f885 2081 openvpn_2.4.5-1.dsc
3de90fa540564f70981b316340e4100ab505d22a 942696 openvpn_2.4.5.orig.tar.xz
cc3afd9ba0fe1ed6f4365b9c5372470e21a0adb9 52596 openvpn_2.4.5-1.debian.tar.xz
11d609b4b483cc3f214e5bd80d312ba1ee69fc59 6696 openvpn_2.4.5-1_amd64.buildinfo
Checksums-Sha256:
914c8f2dfc33cf4a495563560d322dd0efc70e4bae1ae31c64d7f37da67fa7e7 2081
openvpn_2.4.5-1.dsc
43c0a363a332350f620d1cd93bb431e082bedbc93d4fb872f758650d53c1d29e 942696
openvpn_2.4.5.orig.tar.xz
f11750c6d0f0370353ddb90eaf76dd3af4ffa93ff036d0a73773ba1691608f3e 52596
openvpn_2.4.5-1.debian.tar.xz
05288dde9ea4ec91f6f04464568dc371efd7626832a5b88d48548591e9dd5e52 6696
openvpn_2.4.5-1_amd64.buildinfo
Files:
8a402636d61756853e773bd6a8e30734 2081 net optional openvpn_2.4.5-1.dsc
c510ad3c8fce738c678dbcc54367c945 942696 net optional openvpn_2.4.5.orig.tar.xz
d9a12a1ed2fde19f249ff9eb9401190d 52596 net optional
openvpn_2.4.5-1.debian.tar.xz
0ffb5752cf277f722c3539a3970e717b 6696 net optional
openvpn_2.4.5-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlqcZqERHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJOzAA/8DTIMMl74fOu0EGqpXWOA2eU56lojMu+Y
WyBF2I5q+TiFDQal7SqPSsFKhCWCFqsbowf2+mLs4G5sbrhS8QSAxsVMefWJGA+8
LhSUXRhFbwWPX1p917hlUpMJ4ZhEWQkEffR+TUacqi12PNUnbVgDIRTAq5QF/b7E
kMwmh5ymjdSfQJI2T/OJimruJj0MttRp07klXBdk9IuvS1wxNAwjMNP+SVSlANL2
GlFl35p/wyyrtZR9bfDSqlKO5jMgVb+cSlF7wzW7eo5wLsTa6exuGrj+qDuqzHHr
JA9zZiFWswuEl7TlqJDGBUhRu3XYm/jamTIsp9spebQao3puAFIglZx0QCemYmY+
GaYquLnLPpegbyDopqnFkrY5gdKWplhjFlCK49CifTUOr3iktLCarAAC6IRPlMvE
jMh3nbTDfFJxgpinnvG7UJ4TlLKtV6XTkAFNsLlFIpzGDJcrUT2nJPOrTvW9+Mug
MNMrP+0zx0tTBDxJ5aE96c+i0u2L+TNm6bpauVM3Sr43+iPvPIPM1XHOV3tuqFNF
JreZ1eiUMr4V3fHhfw96VEy1x7wEXBFsKRaYM8PhjF8uRwFkOVRdVPSbC3M2Z1cp
EE9awk1tOuwuE+N3zjk98XPKxZCxIrfMH1JdsVuzu4ocLiXvgnXjx2Crfmq48Y5H
GOCEKruve0U=
=ml+8
-----END PGP SIGNATURE-----
--- End Message ---
