Hi, On Sat, Mar 22, 2014 at 7:35 PM, Gert Doering <g...@greenie.muc.de> wrote:
> On Tue, Mar 18, 2014 at 05:40:41PM +0100, Steffan Karger wrote: > > > So it seems I spoke too soon... sorry for the noise, although I must > > > say that I'm still in favour of checking for the existence of an IFDEF > > > instead of relying on a particular version... > > > > Point taken, just checking the OpenSSL version does not suffice. > > Still, I'd like to prevent more #ifdef's in the code. We could > > check the #ifdef in configure.ac, and refuse to build when it's > > not present. Any objections against requiring SSL_OP_NO_TICKET to > > be present for OpenVPN 2.4+? We have to drop support for 'ancient > > stuff' at some point. > > If I understood this all right, this feature improves OpenVPN security > against yet-unknown attacks using a feature of OpenSSL that we don't > use anyway. Right? > Right. So in that case, I'm fine with your proposal - do something on configure.ac > that will check for SSL_OP_NO_TICKET and complain (with a useful error > message :) ) if it's not there. > > For 2.3, I'd propose to add code to ssl_openssl.h like this: > > /* SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session > resumption", > * as this is something we do not want nor need, but could potentially be > * used for a future attack. For compatibility reasons, in the 2.3.x > * series, we keep building if the OpenSSL version is too old to support > * this. 2.4 requires it and will fail configure if not present. > */ > #ifndef SSL_OP_NO_TICKET > # define SSL_OP_NO_TICKET 0 > #endif > > > ACK? Is the message correct? > ACK. Message looks correct and clear to me (but please remove the double space before 2.4). -Steffan
