On Sun, Nov 19 2017, Jeremie Courreges-Anglas <j...@wxcvbn.org> wrote: > On Sun, Nov 19 2017, Gert Doering <g...@greenie.muc.de> wrote: >> Hi, >> >> On Sun, Nov 19, 2017 at 09:37:56PM +0100, Gert Doering wrote: >>> .. of course this conflicts with o->renegotiate_seconds_min... >>> >>> Nevertheless, thanks for the patch :-) - it makes my FreeBSD 10.3 >>> (mbedTLS 2.6) buildslave now happy again (on the default settings - with >>> --tls-cert-profile preferred, it refuses the old-hash cert, as it should). >>> >>> Also tested with openssl 1.0.1, where it warns and does nothing, as >>> expected. Good :-) >> >> I *should* have tested with LibreSSL as well... >> >> ssl_openssl.o: In function `tls_ctx_set_cert_profile': >> /home/buildbot/build-openvpn/build-cron2-openbsd-60-amd64-stable-master--disable >> -lzo--disable-management/build/src/openvpn/ssl_openssl.c:404: >> undefined reference to `SSL_CTX_set_security_level' >> /home/buildbot/build-openvpn/build-cron2-openbsd-60-amd64-stable-master--disable-lzo--disable-management/build/src/openvpn/ssl_openssl.c:400: >> undefined reference to `SSL_CTX_set_security_level' >> >> ... *roll eyes* >> >> (Not sure, though, why it only complains about two out of three, but >> still annoyance... if LibreSSL claims OPENSSL_VERSION_NUMBER >= 0x10100000 >> it better should provide everything needed) > > LibreSSL defines: > > #define OPENSSL_VERSION_NUMBER 0x20000000L > > breaking #ifdef checks based on it. Sadly, people tend to prefer adding > > && !defined(LIBRESSL_VERSION_NUMBER) > > to fix the build, rather than doing features detection using autoconf or > similar. openvpn can easily solve this. > >> This is on OpenBSD 6.0, which happens to be something Samuli's vagrant >> setup can provide nicely if anyone wants to have a look :-) > > Here's a diff, master builds and seems to run fine as a client on > OpenBSD-current. > > I can cook a similar diff for the remaining OPENSSL / > LIBRESSL_VERSION_NUMBER #ifdef.
Here's another diff to detect SSL_CTX_get0_certificate(). Tested against LibreSSL only; adding #define HAVE_SSL_CTX_GET0_CERTIFICATE 1 to config.h lets ssl_openssl.c build (with a warning), the link fails as expected.
From 1abd6089a45260e4ce7adfae3fa619f9055edcaf Mon Sep 17 00:00:00 2001
From: Jeremie Courreges-Anglas <j...@wxcvbn.org>
Date: Sun, 19 Nov 2017 23:12:30 +0100
Subject: [PATCH] Detect if SSL_CTX_get0_certificate is available
Don't rely on #ifdef OPENSSL/LIBRESSL_VERSION_NUMBER checks.
Signed-off-by: Jeremie Courreges-Anglas <j...@wxcvbn.org>
---
configure.ac | 1 +
src/openvpn/ssl_openssl.c | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index acfddb22..ac6e7a76 100644
--- a/configure.ac
+++ b/configure.ac
@@ -925,6 +925,7 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then
EVP_MD_CTX_new \
EVP_MD_CTX_free \
EVP_MD_CTX_reset \
+ SSL_CTX_get0_certificate \
SSL_CTX_get_default_passwd_cb \
SSL_CTX_get_default_passwd_cb_userdata \
SSL_CTX_set_security_level \
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index b782946e..3df70166 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -425,7 +425,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
ASSERT(ctx);
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+#ifdef HAVE_SSL_CTX_GET0_CERTIFICATE
/* OpenSSL 1.0.2 and up */
cert = SSL_CTX_get0_certificate(ctx->ctx);
#else
@@ -460,7 +460,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
}
cleanup:
-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+#ifndef HAVE_SSL_CTX_GET0_CERTIFICATE
SSL_free(ssl);
#endif
return;
--
2.15.0
-- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
