Hi, On Tue, Mar 18, 2014 at 05:40:41PM +0100, Steffan Karger wrote: > > So it seems I spoke too soon... sorry for the noise, although I must > > say that I'm still in favour of checking for the existence of an IFDEF > > instead of relying on a particular version... > > Point taken, just checking the OpenSSL version does not suffice. > Still, I'd like to prevent more #ifdef's in the code. We could > check the #ifdef in configure.ac, and refuse to build when it's > not present. Any objections against requiring SSL_OP_NO_TICKET to > be present for OpenVPN 2.4+? We have to drop support for 'ancient > stuff' at some point.
If I understood this all right, this feature improves OpenVPN security
against yet-unknown attacks using a feature of OpenSSL that we don't
use anyway. Right?
So in that case, I'm fine with your proposal - do something on configure.ac
that will check for SSL_OP_NO_TICKET and complain (with a useful error
message :) ) if it's not there.
For 2.3, I'd propose to add code to ssl_openssl.h like this:
/* SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption",
* as this is something we do not want nor need, but could potentially be
* used for a future attack. For compatibility reasons, in the 2.3.x
* series, we keep building if the OpenSSL version is too old to support
* this. 2.4 requires it and will fail configure if not present.
*/
#ifndef SSL_OP_NO_TICKET
# define SSL_OP_NO_TICKET 0
#endif
ACK? Is the message correct?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany [email protected]
fax: +49-89-35655025 [email protected]
pgp8ka94c897Z.pgp
Description: PGP signature
