[Openvpn-devel] [PATCH] openssl 1.1 tls version support

Wed, 04 Oct 2017 07:40:20 -0700 

Hi,

in https://bugs.debian.org/873302 Kurt Roeckx (Debian OpenSSL
maintainer) submitted a patch for OpenVPN to properly set  the minimum
and maximum TLS version. On Debian Buster (current development) OpenSSL
1.1 defaults to TLSv1.2+ only.

I'm unwilling to carry crypto specific patches in Debian. Can anyone
make some sense out of this and apply the patch if possible?

Please keep Kurt CCed and direct any questions to him.

Bernhard


--- src/openvpn/ssl_openssl.c.bak	2017-08-26 13:10:40.333428825 +0200
+++ src/openvpn/ssl_openssl.c	2017-08-26 13:12:05.143672978 +0200
@@ -215,6 +215,19 @@
 #endif
 }
 
+/* convert internal version number to openssl version number */
+static int
+openssl_tls_version(int ver)
+{
+    if (ver == TLS_VER_1_0)
+        return TLS1_VERSION;
+    else if (ver == TLS_VER_1_1)
+        return TLS1_1_VERSION;
+    else if (ver == TLS_VER_1_2)
+        return TLS1_2_VERSION;
+    return 0;
+}
+
 void
 tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
 {
@@ -232,6 +245,17 @@
 
         tls_ver_max =
             (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+        if (tls_ver_min <= TLS_VER_UNSPEC)
+        {
+            SSL_CTX_set_min_proto_version(ctx->ctx, openssl_tls_version(tls_ver_min));
+        }
+        if (tls_ver_max <= TLS_VER_UNSPEC)
+        {
+            SSL_CTX_set_max_proto_version(ctx->ctx, openssl_tls_version(tls_ver_max));
+        }
+#else /* OPENSSL_VERSION_NUMBER >= 0x10100000*/
         if (tls_ver_max <= TLS_VER_UNSPEC)
         {
             tls_ver_max = tls_version_max();
@@ -253,6 +277,7 @@
             sslopt |= SSL_OP_NO_TLSv1_2;
         }
 #endif
+#endif /* OPENSSL_VERSION_NUMBER */
 #ifdef SSL_OP_NO_COMPRESSION
         /* Disable compression - flag not available in OpenSSL 0.9.8 */
         sslopt |= SSL_OP_NO_COMPRESSION;


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to