On Sun, Jul 30, 2017 at 05:57:37PM +0200, Baptiste Jonglez wrote: > Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates. > This breaks openvpn clients that try to connect to servers that > present a TLS certificate signed with SHA1, which is fairly common. > > Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx. > > Fixes: FS#942
This can be cherry-picked cleanly on the lede-17.01 branch. I think it should be done, because the update to 2.5.1 broke a working use-case. > Signed-off-by: Baptiste Jonglez <g...@bitsofnetworks.org> > --- > package/libs/mbedtls/Makefile | 2 +- > package/libs/mbedtls/patches/200-config.patch | 9 +++++++++ > 2 files changed, 10 insertions(+), 1 deletion(-) > > diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile > index 4cceb743d5..101324de07 100644 > --- a/package/libs/mbedtls/Makefile > +++ b/package/libs/mbedtls/Makefile > @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk > > PKG_NAME:=mbedtls > PKG_VERSION:=2.5.1 > -PKG_RELEASE:=1 > +PKG_RELEASE:=2 > PKG_USE_MIPS16:=0 > > PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz > diff --git a/package/libs/mbedtls/patches/200-config.patch > b/package/libs/mbedtls/patches/200-config.patch > index 39de3cc1ec..fb5a74fc65 100644 > --- a/package/libs/mbedtls/patches/200-config.patch > +++ b/package/libs/mbedtls/patches/200-config.patch > @@ -269,3 +269,12 @@ > > /* \} name SECTION: mbed TLS modules */ > > +@@ -2646,7 +2646,7 @@ > + * recommended because of it is possible to generte SHA-1 collisions, > however > + * this may be safe for legacy infrastructure where additional controls > apply. > + */ > +-// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES > ++#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES > + > + /** > + * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
signature.asc
Description: PGP signature
_______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev