Hi,
openvpn-2.4.7 was released earlier today, with support for TLSv1.3. That doesn't change much for us: TLSv1.3 is in the works in LibreSSL, and there's no code yet in OpenVPN to support TLSv1.3 with mbedtls. https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 I thought I'd mention this from the announcement mail: --8<-- Please note that LibreSSL is not a supported crypto backend. We accept patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions of LibreSSL break API compatibility we do not take responsibility to fix that. -->8-- Given the way past API differences between OpenSSL and LibreSSL have been dealt with upstream, the statement doesn't change things for ports users anyway. My efforts with upstream have stalled in the past months. Which leads us to this diff, with some parts force-disabling the TLSv1.3 code paths introduced upstream. I dislike the OPENSSL_NO_* macros even more than the OPENSSL_VERSION_NUMBER checks, but since that's what the ecosystem seems to prefer... Reviews and tests welcome. Index: Makefile =================================================================== RCS file: /cvs/ports/net/openvpn/Makefile,v retrieving revision 1.92 diff -u -p -r1.92 Makefile --- Makefile 7 Dec 2018 18:31:33 -0000 1.92 +++ Makefile 21 Feb 2019 14:37:20 -0000 @@ -2,9 +2,8 @@ COMMENT= easy-to-use, robust, and highly configurable VPN -DISTNAME= openvpn-2.4.6 +DISTNAME= openvpn-2.4.7 CATEGORIES= net security -REVISION= 1 HOMEPAGE= https://openvpn.net/index.php/open-source/ Index: distinfo =================================================================== RCS file: /cvs/ports/net/openvpn/distinfo,v retrieving revision 1.41 diff -u -p -r1.41 distinfo --- distinfo 24 Apr 2018 17:32:43 -0000 1.41 +++ distinfo 21 Feb 2019 14:37:20 -0000 @@ -1,2 +1,2 @@ -SHA256 (openvpn-2.4.6.tar.gz) = c429N/z465OCxTYo2yIljEG6lVAWVRnZIA6L6670y+I= -SIZE (openvpn-2.4.6.tar.gz) = 1431971 +SHA256 (openvpn-2.4.7.tar.gz) = c9zlQu09bwVTZ09JAl373/GDSOuKJeYhUTXWhrFlQjw= +SIZE (openvpn-2.4.7.tar.gz) = 1457784 Index: patches/patch-configure =================================================================== RCS file: /cvs/ports/net/openvpn/patches/patch-configure,v retrieving revision 1.19 diff -u -p -r1.19 patch-configure --- patches/patch-configure 4 Mar 2018 19:03:00 -0000 1.19 +++ patches/patch-configure 21 Feb 2019 14:37:20 -0000 @@ -2,7 +2,7 @@ $OpenBSD: patch-configure,v 1.19 2018/03 Index: configure --- configure.orig +++ configure -@@ -18057,7 +18057,7 @@ else +@@ -18033,7 +18033,7 @@ else fi Index: patches/patch-src_openvpn_ssl_c =================================================================== RCS file: patches/patch-src_openvpn_ssl_c diff -N patches/patch-src_openvpn_ssl_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_openvpn_ssl_c 21 Feb 2019 14:37:20 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ + +Index: src/openvpn/ssl.c +--- src/openvpn/ssl.c.orig ++++ src/openvpn/ssl.c +@@ -4146,7 +4146,7 @@ show_available_tls_ciphers(const char *cipher_list, + { + printf("Available TLS Ciphers, listed in order of preference:\n"); + +-#if (ENABLE_CRYPTO_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x1010100fL) ++#if (ENABLE_CRYPTO_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_TLS1_3)) + printf("\nFor TLS 1.3 and newer (--tls-ciphersuites):\n\n"); + show_available_tls_ciphers_list(cipher_list_tls13, tls_cert_profile, true); + #else Index: patches/patch-src_openvpn_ssl_openssl_c =================================================================== RCS file: patches/patch-src_openvpn_ssl_openssl_c diff -N patches/patch-src_openvpn_ssl_openssl_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_openvpn_ssl_openssl_c 21 Feb 2019 14:37:20 -0000 @@ -0,0 +1,41 @@ +$OpenBSD$ + +Index: src/openvpn/ssl_openssl.c +--- src/openvpn/ssl_openssl.c.orig ++++ src/openvpn/ssl_openssl.c +@@ -206,7 +206,7 @@ info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int wher + int + tls_version_max(void) + { +-#if defined(TLS1_3_VERSION) ++#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3) + return TLS_VER_1_3; + #elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2) + return TLS_VER_1_2; +@@ -233,7 +233,7 @@ openssl_tls_version(int ver) + { + return TLS1_2_VERSION; + } +-#if defined(TLS1_3_VERSION) ++#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3) + else if (ver == TLS_VER_1_3) + { + return TLS1_3_VERSION; +@@ -459,7 +459,7 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ct + return; + } + +-#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) ++#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) || defined(OPENSSL_NO_TLS1_3) + crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. " + "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.", + ciphers); +@@ -1846,7 +1846,7 @@ show_available_tls_ciphers_list(const char *cipher_lis + crypto_msg(M_FATAL, "Cannot create SSL_CTX object"); + } + +-#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) ++#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) && !defined(OPENSSL_NO_TLS1_3) + if (tls13) + { + SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION); Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/net/openvpn/pkg/PLIST,v retrieving revision 1.24 diff -u -p -r1.24 PLIST --- pkg/PLIST 4 Sep 2018 12:46:18 -0000 1.24 +++ pkg/PLIST 21 Feb 2019 14:37:20 -0000 @@ -1,6 +1,7 @@ @comment $OpenBSD: PLIST,v 1.24 2018/09/04 12:46:18 espie Exp $ @newgroup _openvpn:577 @newuser _openvpn:577:_openvpn:daemon:OpenVPN Daemon:/nonexistent:/sbin/nologin +@rcscript ${RCDIR}/openvpn include/openvpn/ include/openvpn/openvpn-msg.h include/openvpn/openvpn-plugin.h @@ -63,4 +64,3 @@ share/examples/openvpn/sample-scripts/br share/examples/openvpn/sample-scripts/bridge-stop share/examples/openvpn/sample-scripts/ucn.pl share/examples/openvpn/sample-scripts/verify-cn -@rcscript ${RCDIR}/openvpn -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
