Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

[Jeremie Courreges-Anglas]

On Thu, Dec 14 2017, Steffan Karger <stef...@karger.me> wrote:

[...]

> NAK.
>
> Looking at this patch again I realize I have misunderstood the
> intentions when first looking at it.  I thought LibreSSL *did* have an
> SSL_CTX_get0_certificate() and this patch would make us use it (instead
> of the workaround in the #else).  But this is just about replacing the
> version check with a configure check.

Are you still opposed to such a diff (updated version attached), now
that LibreSSL HEAD provides SSL_CTX_get0_certificate?

> I oppose that change because it
> hides information I want to have:  "what code can be purged when we drop
> support for openssl 1.0 and libressl?".

Maybe there's another way to encode that information?  Like,
consistently formatted comments describing the first OpenSSL (and
LibreSSL) releases that provided a function?

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

From e6d80207bf7f1323670d0bc1102fa51309b1aa14 Mon Sep 17 00:00:00 2001
From: Jeremie Courreges-Anglas <j...@wxcvbn.org>
Date: Sun, 4 Mar 2018 19:24:36 +0100
Subject: [PATCH] Detect availability of SSL_CTX_get0_certificate

instead of relying on simpler version checks.  This allows using
SSL_CTX_get0_certificate with LibreSSL.
---
 configure.ac              | 1 +
 src/openvpn/ssl_openssl.c | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 626b4dd4..e4525b09 100644
--- a/configure.ac
+++ b/configure.ac
@@ -918,6 +918,7 @@ if test "${with_crypto_library}" = "openssl"; then
 			EVP_MD_CTX_new \
 			EVP_MD_CTX_free \
 			EVP_MD_CTX_reset \
+			SSL_CTX_get0_certificate \
 			SSL_CTX_get_default_passwd_cb \
 			SSL_CTX_get_default_passwd_cb_userdata \
 			SSL_CTX_set_security_level \
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 8ef68ebd..19580312 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -459,8 +459,8 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
 
     ASSERT(ctx);
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
-    /* OpenSSL 1.0.2 and up */
+#ifdef HAVE_SSL_CTX_GET0_CERTIFICATE
+    /* OpenSSL 1.0.2 and up, LibreSSL 2.7.0 and up */
     cert = SSL_CTX_get0_certificate(ctx->ctx);
 #else
     /* OpenSSL 1.0.1 and earlier need an SSL object to get at the certificate */
@@ -494,7 +494,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
     }
 
 cleanup:
-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+#ifndef HAVE_SSL_CTX_GET0_CERTIFICATE
     SSL_free(ssl);
 #endif
     return;
-- 
2.16.0

signature.asc
Description: PGP signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel