On Sun, Mar 23, 2014 at 1:26 PM, Gert Doering <g...@greenie.muc.de> wrote:
> On Sun, Mar 23, 2014 at 10:22:57AM +0100, Steffan Karger wrote: > > ACK. Message looks correct and clear to me. > > Thanks. Committed and pushed as 2cf9d4e3f06f4a61cb6d159728ac6c8a790d6849. > > Can you send the needed patch for master/2.4? > See attachment :) -Steffan
From 4f9d47bee3bef4102dfe8e13da21ab4bbe0a92a9 Mon Sep 17 00:00:00 2001 From: Steffan Karger <stef...@karger.me> Date: Sun, 23 Mar 2014 14:07:47 +0100 Subject: [PATCH] configure.ac: check for SSL_OP_NO_TICKET flag in OpenSSL SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption". This is something we do not want nor need, but could potentially be used for a future attack. OpenVPN 2.4 requires the flag to be set and will fail configure if the flag is not present. --- configure.ac | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/configure.ac b/configure.ac index c622f33..2da6521 100644 --- a/configure.ac +++ b/configure.ac @@ -793,6 +793,21 @@ if test "${have_openssl_crypto}" = "yes"; then LIBS="${saved_LIBS}" fi +if test "${have_openssl_ssl}" = "yes"; then + AC_MSG_CHECKING([for SSL_OP_NO_TICKET flag in OpenSSL]) + AC_EGREP_CPP(have_ssl_op_no_ticket, [ + #include <openssl/ssl.h> + #ifdef SSL_OP_NO_TICKET + have_ssl_op_no_ticket + #endif + ], [ + AC_MSG_RESULT([yes]) + ], [ + AC_MSG_RESULT([no]) + AC_ERROR([OpenVPN 2.4+ requires SSL_OP_NO_TICKET in OpenSSL]) + ]) +fi + AC_ARG_VAR([POLARSSL_CFLAGS], [C compiler flags for polarssl]) AC_ARG_VAR([POLARSSL_LIBS], [linker flags for polarssl]) have_polarssl_ssl="yes" -- 1.8.3.2