On Sun, Mar 23, 2014 at 1:26 PM, Gert Doering <g...@greenie.muc.de> wrote:
> On Sun, Mar 23, 2014 at 10:22:57AM +0100, Steffan Karger wrote:
> > ACK. Message looks correct and clear to me.
>
> Thanks. Committed and pushed as 2cf9d4e3f06f4a61cb6d159728ac6c8a790d6849.
>
> Can you send the needed patch for master/2.4?
>
See attachment :)
-Steffan
From 4f9d47bee3bef4102dfe8e13da21ab4bbe0a92a9 Mon Sep 17 00:00:00 2001
From: Steffan Karger <stef...@karger.me>
Date: Sun, 23 Mar 2014 14:07:47 +0100
Subject: [PATCH] configure.ac: check for SSL_OP_NO_TICKET flag in OpenSSL
SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption".
This is something we do not want nor need, but could potentially be used
for a future attack. OpenVPN 2.4 requires the flag to be set and will fail
configure if the flag is not present.
---
configure.ac | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/configure.ac b/configure.ac
index c622f33..2da6521 100644
--- a/configure.ac
+++ b/configure.ac
@@ -793,6 +793,21 @@ if test "${have_openssl_crypto}" = "yes"; then
LIBS="${saved_LIBS}"
fi
+if test "${have_openssl_ssl}" = "yes"; then
+ AC_MSG_CHECKING([for SSL_OP_NO_TICKET flag in OpenSSL])
+ AC_EGREP_CPP(have_ssl_op_no_ticket, [
+ #include <openssl/ssl.h>
+ #ifdef SSL_OP_NO_TICKET
+ have_ssl_op_no_ticket
+ #endif
+ ], [
+ AC_MSG_RESULT([yes])
+ ], [
+ AC_MSG_RESULT([no])
+ AC_ERROR([OpenVPN 2.4+ requires SSL_OP_NO_TICKET in OpenSSL])
+ ])
+fi
+
AC_ARG_VAR([POLARSSL_CFLAGS], [C compiler flags for polarssl])
AC_ARG_VAR([POLARSSL_LIBS], [linker flags for polarssl])
have_polarssl_ssl="yes"
--
1.8.3.2
