Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

Wed, 22 Nov 2017 11:14:05 -0800 

Hi,

On 19-11-17 23:01, Jeremie Courreges-Anglas wrote:
> Here's a diff, master builds and seems to run fine as a client on
> OpenBSD-current.
>
>
> From: Jeremie Courreges-Anglas <j...@wxcvbn.org>
> Date: Sun, 19 Nov 2017 22:57:56 +0100
> Subject: [PATCH] Fix build with LibreSSL
> 
> Detect the presence of SSL_CTX_set_security_level(), don't check
> OPENSSL_VERSION_NUMBER.
> 
> Signed-off-by: Jeremie Courreges-Anglas <j...@wxcvbn.org>
> ---
>  configure.ac              | 1 +
>  src/openvpn/ssl_openssl.c | 2 +-
>  2 files changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/configure.ac b/configure.ac
> index 7f2e34f2..acfddb22 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -927,6 +927,7 @@ if test "${enable_crypto}" = "yes" -a 
> "${with_crypto_library}" = "openssl"; then
>                       EVP_MD_CTX_reset \
>                       SSL_CTX_get_default_passwd_cb \
>                       SSL_CTX_get_default_passwd_cb_userdata \
> +                     SSL_CTX_set_security_level \
>                       X509_get0_pubkey \
>                       X509_STORE_get0_objects \
>                       X509_OBJECT_free \
> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> index de89cb13..b782946e 100644
> --- a/src/openvpn/ssl_openssl.c
> +++ b/src/openvpn/ssl_openssl.c
> @@ -386,7 +386,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const 
> char *ciphers)
>  void
>  tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
>  {
> -#if (OPENSSL_VERSION_NUMBER >= 0x10100000)
> +#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
>      /* OpenSSL does not have certificate profiles, but a complex set of
>       * callbacks that we could try to implement to achieve something similar.
>       * For now, use OpenSSL's security levels to achieve similar (but not 
> equal)
> -- 
> 2.15.0

Patch looks good and clean enough to restore compatibilty with libressl.
 Tested that this doesn't break --tls-cert-profile with OpenSSL 1.1, and
doesn't break builds with OpenSSL 1.0.

Acked-by: Steffan Karger <stef...@karger.me>
Tested-by: Steffan Karger <stef...@karger.me>

-Steffan

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to