Am 18.09.19 um 14:01 schrieb Gert Doering:
> Your patch has been applied to the release/2.4 branch.
> Sorry for the delay.  Vacation, and too many distractions.
> Lightly tested on an OpenSSL 1.1, a mbedTLS build and an LibreSSL 2.7.2
> on OpenBSD 6.3 - with OpenSSL and mbedTLS, it builds and passes all
> tests.  
> With LibreSSL 2.7.2, it fails due to
> ./../../openvpn.git/src/openvpn/ssl_openssl.c:1873: undefined reference to 
> `SSL_get1_supported_ciphers'
> which looks like this:
> #if (OPENSSL_VERSION_NUMBER < 0x1010000fL)
>     STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
> #else
>     STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);   
> #endif
> this is code which has been in release/2.4 for quite some time (part of
> the TLS 1.3 support, commit e8467c864, "--show-tls" enhancements) - so 
> if it doesn't break for you, I assume that the call was added to more
> recent LibreSSL versions.

I was testing against LibreSSL 2.9.2, the oldest for FreeBSD, and this
particular call is listed in the OpenBSD 6.5 changelog here: "Provided SSL_get_client_ciphers()
and SSL_get1_supported_ciphers() (part of the OpenSSL 1.1 API)." But I
haven't figured out when or where this was added to LibreSSL releases.

It really looks to me that there isn't a strategy for LibreSSL, but I'll
not backport things to old LibreSSL version, the answer should be
"upgrade or else leave it to your packager/distributor".

Openvpn-devel mailing list

Reply via email to