On Sun, Nov 19 2017, Gert Doering <g...@greenie.muc.de> wrote: > Hi, > > On Sun, Nov 19, 2017 at 09:37:56PM +0100, Gert Doering wrote: >> .. of course this conflicts with o->renegotiate_seconds_min... >> >> Nevertheless, thanks for the patch :-) - it makes my FreeBSD 10.3 >> (mbedTLS 2.6) buildslave now happy again (on the default settings - with >> --tls-cert-profile preferred, it refuses the old-hash cert, as it should). >> >> Also tested with openssl 1.0.1, where it warns and does nothing, as >> expected. Good :-) > > I *should* have tested with LibreSSL as well... > > ssl_openssl.o: In function `tls_ctx_set_cert_profile': > /home/buildbot/build-openvpn/build-cron2-openbsd-60-amd64-stable-master--disable > -lzo--disable-management/build/src/openvpn/ssl_openssl.c:404: > undefined reference to `SSL_CTX_set_security_level' > /home/buildbot/build-openvpn/build-cron2-openbsd-60-amd64-stable-master--disable-lzo--disable-management/build/src/openvpn/ssl_openssl.c:400: > undefined reference to `SSL_CTX_set_security_level' > > ... *roll eyes* > > (Not sure, though, why it only complains about two out of three, but > still annoyance... if LibreSSL claims OPENSSL_VERSION_NUMBER >= 0x10100000 > it better should provide everything needed)
LibreSSL defines: #define OPENSSL_VERSION_NUMBER 0x20000000L breaking #ifdef checks based on it. Sadly, people tend to prefer adding && !defined(LIBRESSL_VERSION_NUMBER) to fix the build, rather than doing features detection using autoconf or similar. openvpn can easily solve this. > This is on OpenBSD 6.0, which happens to be something Samuli's vagrant > setup can provide nicely if anyone wants to have a look :-) Here's a diff, master builds and seems to run fine as a client on OpenBSD-current. I can cook a similar diff for the remaining OPENSSL / LIBRESSL_VERSION_NUMBER #ifdef.
From 15315d3c3b25814a426bfc8184c4dfd262f28768 Mon Sep 17 00:00:00 2001
From: Jeremie Courreges-Anglas <j...@wxcvbn.org>
Date: Sun, 19 Nov 2017 22:57:56 +0100
Subject: [PATCH] Fix build with LibreSSL
Detect the presence of SSL_CTX_set_security_level(), don't check
OPENSSL_VERSION_NUMBER.
Signed-off-by: Jeremie Courreges-Anglas <j...@wxcvbn.org>
---
configure.ac | 1 +
src/openvpn/ssl_openssl.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 7f2e34f2..acfddb22 100644
--- a/configure.ac
+++ b/configure.ac
@@ -927,6 +927,7 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then
EVP_MD_CTX_reset \
SSL_CTX_get_default_passwd_cb \
SSL_CTX_get_default_passwd_cb_userdata \
+ SSL_CTX_set_security_level \
X509_get0_pubkey \
X509_STORE_get0_objects \
X509_OBJECT_free \
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index de89cb13..b782946e 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -386,7 +386,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
void
tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
{
-#if (OPENSSL_VERSION_NUMBER >= 0x10100000)
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
/* OpenSSL does not have certificate profiles, but a complex set of
* callbacks that we could try to implement to achieve something similar.
* For now, use OpenSSL's security levels to achieve similar (but not equal)
--
2.15.0
-- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
