subject:"\[Openvpn\-devel\] \[PATCH applied\] Re\: Add \-\-tls\-cert\-profile option for mbedtls builds"

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

2018-03-04 Thread Steffan Karger


On 05-03-18 00:26, Steffan Karger wrote:
> Yes, I'd rather not use the workaround if not needed.

Bad wording.  Read that as "I'm no longer opposed to a patch".

-Steffan

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

2018-03-04 Thread Steffan Karger

Hi,

On 04-03-18 19:59, Jeremie Courreges-Anglas wrote:
> On Thu, Dec 14 2017, Steffan Karger  wrote:
> 
> [...]
> 
>> NAK.
>>
>> Looking at this patch again I realize I have misunderstood the
>> intentions when first looking at it.  I thought LibreSSL *did* have an
>> SSL_CTX_get0_certificate() and this patch would make us use it (instead
>> of the workaround in the #else).  But this is just about replacing the
>> version check with a configure check.
> 
> Are you still opposed to such a diff (updated version attached), now
> that LibreSSL HEAD provides SSL_CTX_get0_certificate?

Yes, I'd rather not use the workaround if not needed.  Still not very
happy about the approach though.  Why not simply add || LIBRESSL_VERSION
> x.y.z ?

>> I oppose that change because it
>> hides information I want to have:  "what code can be purged when we drop
>> support for openssl 1.0 and libressl?".
> 
> Maybe there's another way to encode that information?  Like,
> consistently formatted comments describing the first OpenSSL (and
> LibreSSL) releases that provided a function?

Yes, we could do that.  But if we're going to put that info into the
code anyway, why not just use the define?

-Steffan

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

2018-03-04 Thread Jeremie Courreges-Anglas

On Thu, Dec 14 2017, Steffan Karger  wrote:

[...]

> NAK.
>
> Looking at this patch again I realize I have misunderstood the
> intentions when first looking at it.  I thought LibreSSL *did* have an
> SSL_CTX_get0_certificate() and this patch would make us use it (instead
> of the workaround in the #else).  But this is just about replacing the
> version check with a configure check.

Are you still opposed to such a diff (updated version attached), now
that LibreSSL HEAD provides SSL_CTX_get0_certificate?

> I oppose that change because it
> hides information I want to have:  "what code can be purged when we drop
> support for openssl 1.0 and libressl?".

Maybe there's another way to encode that information?  Like,
consistently formatted comments describing the first OpenSSL (and
LibreSSL) releases that provided a function?

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE
From e6d80207bf7f1323670d0bc1102fa51309b1aa14 Mon Sep 17 00:00:00 2001
From: Jeremie Courreges-Anglas 
Date: Sun, 4 Mar 2018 19:24:36 +0100
Subject: [PATCH] Detect availability of SSL_CTX_get0_certificate

instead of relying on simpler version checks.  This allows using
SSL_CTX_get0_certificate with LibreSSL.
---
 configure.ac  | 1 +
 src/openvpn/ssl_openssl.c | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 626b4dd4..e4525b09 100644
--- a/configure.ac
+++ b/configure.ac
@@ -918,6 +918,7 @@ if test "${with_crypto_library}" = "openssl"; then
 			EVP_MD_CTX_new \
 			EVP_MD_CTX_free \
 			EVP_MD_CTX_reset \
+			SSL_CTX_get0_certificate \
 			SSL_CTX_get_default_passwd_cb \
 			SSL_CTX_get_default_passwd_cb_userdata \
 			SSL_CTX_set_security_level \
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 8ef68ebd..19580312 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -459,8 +459,8 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
 
 ASSERT(ctx);
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
-/* OpenSSL 1.0.2 and up */
+#ifdef HAVE_SSL_CTX_GET0_CERTIFICATE
+/* OpenSSL 1.0.2 and up, LibreSSL 2.7.0 and up */
 cert = SSL_CTX_get0_certificate(ctx->ctx);
 #else
 /* OpenSSL 1.0.1 and earlier need an SSL object to get at the certificate */
@@ -494,7 +494,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
 }
 
 cleanup:
-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+#ifndef HAVE_SSL_CTX_GET0_CERTIFICATE
 SSL_free(ssl);
 #endif
 return;
-- 
2.16.0



signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

2017-12-14 Thread Steffan Karger

Hi,

On 19-11-17 23:18, Jeremie Courreges-Anglas wrote:
> Here's another diff to detect SSL_CTX_get0_certificate().
> 
> Tested against LibreSSL only; adding
> 
>   #define HAVE_SSL_CTX_GET0_CERTIFICATE 1
> 
> to config.h lets ssl_openssl.c build (with a warning), the link fails as
> expected.
>
> From 1abd6089a45260e4ce7adfae3fa619f9055edcaf Mon Sep 17 00:00:00 2001
> From: Jeremie Courreges-Anglas 
> Date: Sun, 19 Nov 2017 23:12:30 +0100
> Subject: [PATCH] Detect if SSL_CTX_get0_certificate is available
> 
> Don't rely on #ifdef OPENSSL/LIBRESSL_VERSION_NUMBER checks.
> 
> Signed-off-by: Jeremie Courreges-Anglas 
> ---
>  configure.ac  | 1 +
>  src/openvpn/ssl_openssl.c | 4 ++--
>  2 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index acfddb22..ac6e7a76 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -925,6 +925,7 @@ if test "${enable_crypto}" = "yes" -a 
> "${with_crypto_library}" = "openssl"; then
>   EVP_MD_CTX_new \
>   EVP_MD_CTX_free \
>   EVP_MD_CTX_reset \
> + SSL_CTX_get0_certificate \
>   SSL_CTX_get_default_passwd_cb \
>   SSL_CTX_get_default_passwd_cb_userdata \
>   SSL_CTX_set_security_level \
> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> index b782946e..3df70166 100644
> --- a/src/openvpn/ssl_openssl.c
> +++ b/src/openvpn/ssl_openssl.c
> @@ -425,7 +425,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
>  
>  ASSERT(ctx);
>  
> -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && 
> !defined(LIBRESSL_VERSION_NUMBER)
> +#ifdef HAVE_SSL_CTX_GET0_CERTIFICATE
>  /* OpenSSL 1.0.2 and up */
>  cert = SSL_CTX_get0_certificate(ctx->ctx);
>  #else
> @@ -460,7 +460,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
>  }
>  
>  cleanup:
> -#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
> +#ifndef HAVE_SSL_CTX_GET0_CERTIFICATE
>  SSL_free(ssl);
>  #endif
>  return;
> -- 
> 2.15.0

NAK.

Looking at this patch again I realize I have misunderstood the
intentions when first looking at it.  I thought LibreSSL *did* have an
SSL_CTX_get0_certificate() and this patch would make us use it (instead
of the workaround in the #else).  But this is just about replacing the
version check with a configure check.  I oppose that change because it
hides information I want to have:  "what code can be purged when we drop
support for openssl 1.0 and libressl?".

-Steffan

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

2017-11-22 Thread Steffan Karger

Hi,

On 19-11-17 23:01, Jeremie Courreges-Anglas wrote:
> Here's a diff, master builds and seems to run fine as a client on
> OpenBSD-current.
>
>
> From: Jeremie Courreges-Anglas 
> Date: Sun, 19 Nov 2017 22:57:56 +0100
> Subject: [PATCH] Fix build with LibreSSL
> 
> Detect the presence of SSL_CTX_set_security_level(), don't check
> OPENSSL_VERSION_NUMBER.
> 
> Signed-off-by: Jeremie Courreges-Anglas 
> ---
>  configure.ac  | 1 +
>  src/openvpn/ssl_openssl.c | 2 +-
>  2 files changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/configure.ac b/configure.ac
> index 7f2e34f2..acfddb22 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -927,6 +927,7 @@ if test "${enable_crypto}" = "yes" -a 
> "${with_crypto_library}" = "openssl"; then
>   EVP_MD_CTX_reset \
>   SSL_CTX_get_default_passwd_cb \
>   SSL_CTX_get_default_passwd_cb_userdata \
> + SSL_CTX_set_security_level \
>   X509_get0_pubkey \
>   X509_STORE_get0_objects \
>   X509_OBJECT_free \
> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> index de89cb13..b782946e 100644
> --- a/src/openvpn/ssl_openssl.c
> +++ b/src/openvpn/ssl_openssl.c
> @@ -386,7 +386,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const 
> char *ciphers)
>  void
>  tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
>  {
> -#if (OPENSSL_VERSION_NUMBER >= 0x1010)
> +#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
>  /* OpenSSL does not have certificate profiles, but a complex set of
>   * callbacks that we could try to implement to achieve something similar.
>   * For now, use OpenSSL's security levels to achieve similar (but not 
> equal)
> -- 
> 2.15.0

Patch looks good and clean enough to restore compatibilty with libressl.
 Tested that this doesn't break --tls-cert-profile with OpenSSL 1.1, and
doesn't break builds with OpenSSL 1.0.

Acked-by: Steffan Karger 
Tested-by: Steffan Karger 

-Steffan

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

2017-11-20 Thread Steffan Karger

Hi,

On 20-11-17 09:06, Gert Doering wrote:> On Sun, Nov 19, 2017 at
11:01:39PM +0100, Jeremie Courreges-Anglas
> wrote:
>>> (Not sure, though, why it only complains about two out of
>>> three, but still annoyance...  if LibreSSL claims
>>> OPENSSL_VERSION_NUMBER >= 0x1010 it better should provide
>>> everything needed)
>>
>> LibreSSL defines:
>>
>> #define OPENSSL_VERSION_NUMBER0x2000L
>>
>> breaking #ifdef checks based on it.
>
> Indeed.  I find this a curious and not useful setting - "if it's
> not compatible with OPENSSL, why define such a version number"?
> But that's slightly out of scope here...

+1, highly frustrating.  LibreSSL should really just make up their
mind whether they want to be OpenSSL-compatible or not, and act
accordingly.

>> Sadly, people tend to prefer adding
>>
>> && !defined(LIBRESSL_VERSION_NUMBER)
>>
>> to fix the build, rather than doing features detection using
>> autoconf or similar.  openvpn can easily solve this.
>
> ... and I'm thankful for your patch, because this is exactly what I
>  considered doing here.  We already check for all the 1.0/1.1
> openssl differences (accessor functions), so adding this one is
> logical.

*If* we want to keep LibreSSL working, I agree this is the way to go.
 But I'm kind of annoyed that we are including more and more #ifdefs
to keep LibreSSL happy.  The version checks are much simpler and make
it easy to see what code can be purged when we drop support for e.g
openssl 1.0.1.  I don't want to keep these 'backwards compatibility'
ifdefs forever.  At some point we'll have to decide to either
completely stop supporting LibreSSL, or add it as a true abstraction
(which I will *not* maintain).  We're getting closer and closer to
that point.

>>> This is on OpenBSD 6.0, which happens to be something Samuli's
>>> vagrant setup can provide nicely if anyone wants to have a look
>>> :-)
>>
>> Here's a diff, master builds and seems to run fine as a client
>> on OpenBSD-current.
>
> Thanks.  Patch looks good to me, but I leave the final word to
> Steffan (maybe he wants to amend the non-support message to include
> LibreSSL, or whatever)

They look good at first sight, but I'll check these properly later
this week - when I have some spare cycles available.

>> I can cook a similar diff for the remaining OPENSSL /
>> LIBRESSL_VERSION_NUMBER #ifdef.
>
> This would be appreciated.

Same reservations as above.

To reiterate: our policy towards LibreSSL is currently that we do
*not* support it, but we won't break it on purpose and accept trivial
patches to keep it working.  Where 'trivial' is - of course - fuzzy.

-Steffan

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

2017-11-20 Thread Gert Doering

Hi,

On Sun, Nov 19, 2017 at 11:01:39PM +0100, Jeremie Courreges-Anglas wrote:
> > (Not sure, though, why it only complains about two out of three, but
> > still annoyance...  if LibreSSL claims OPENSSL_VERSION_NUMBER >= 0x1010
> > it better should provide everything needed)
> 
> LibreSSL defines:
> 
>   #define OPENSSL_VERSION_NUMBER0x2000L
> 
> breaking #ifdef checks based on it.  

Indeed.  I find this a curious and not useful setting - "if it's not 
compatible with OPENSSL, why define such a version number"?  But that's
slightly out of scope here...

> Sadly, people tend to prefer adding
> 
>   && !defined(LIBRESSL_VERSION_NUMBER)
> 
> to fix the build, rather than doing features detection using autoconf or
> similar.  openvpn can easily solve this.

... and I'm thankful for your patch, because this is exactly what I 
considered doing here.  We already check for all the 1.0/1.1 openssl
differences (accessor functions), so adding this one is logical.

> > This is on OpenBSD 6.0, which happens to be something Samuli's vagrant
> > setup can provide nicely if anyone wants to have a look :-)
> 
> Here's a diff, master builds and seems to run fine as a client on
> OpenBSD-current.

Thanks.  Patch looks good to me, but I leave the final word to Steffan
(maybe he wants to amend the non-support message to include LibreSSL,
or whatever)

> I can cook a similar diff for the remaining OPENSSL /
> LIBRESSL_VERSION_NUMBER #ifdef.

This would be appreciated.

gert
-- 
now what should I write here...

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

2017-11-19 Thread Jeremie Courreges-Anglas

On Sun, Nov 19 2017, Jeremie Courreges-Anglas  wrote:
> On Sun, Nov 19 2017, Gert Doering  wrote:
>> Hi,
>>
>> On Sun, Nov 19, 2017 at 09:37:56PM +0100, Gert Doering wrote:
>>> .. of course this conflicts with o->renegotiate_seconds_min...
>>> 
>>> Nevertheless, thanks for the patch :-) - it makes my FreeBSD 10.3 
>>> (mbedTLS 2.6) buildslave now happy again (on the default settings - with
>>> --tls-cert-profile preferred, it refuses the old-hash cert, as it should).
>>> 
>>> Also tested with openssl 1.0.1, where it warns and does nothing, as
>>> expected.  Good :-)
>>
>> I *should* have tested with LibreSSL as well...
>>
>> ssl_openssl.o: In function `tls_ctx_set_cert_profile':
>> /home/buildbot/build-openvpn/build-cron2-openbsd-60-amd64-stable-master--disable
>>  -lzo--disable-management/build/src/openvpn/ssl_openssl.c:404:
>> undefined reference to `SSL_CTX_set_security_level'
>> /home/buildbot/build-openvpn/build-cron2-openbsd-60-amd64-stable-master--disable-lzo--disable-management/build/src/openvpn/ssl_openssl.c:400:
>>  undefined reference to `SSL_CTX_set_security_level'
>>
>> ... *roll eyes*
>>
>> (Not sure, though, why it only complains about two out of three, but
>> still annoyance...  if LibreSSL claims OPENSSL_VERSION_NUMBER >= 0x1010
>> it better should provide everything needed)
>
> LibreSSL defines:
>
>   #define OPENSSL_VERSION_NUMBER0x2000L
>
> breaking #ifdef checks based on it.  Sadly, people tend to prefer adding
>
>   && !defined(LIBRESSL_VERSION_NUMBER)
>
> to fix the build, rather than doing features detection using autoconf or
> similar.  openvpn can easily solve this.
>
>> This is on OpenBSD 6.0, which happens to be something Samuli's vagrant
>> setup can provide nicely if anyone wants to have a look :-)
>
> Here's a diff, master builds and seems to run fine as a client on
> OpenBSD-current.
>
> I can cook a similar diff for the remaining OPENSSL /
> LIBRESSL_VERSION_NUMBER #ifdef.

Here's another diff to detect SSL_CTX_get0_certificate().

Tested against LibreSSL only; adding

  #define HAVE_SSL_CTX_GET0_CERTIFICATE 1

to config.h lets ssl_openssl.c build (with a warning), the link fails as
expected.

From 1abd6089a45260e4ce7adfae3fa619f9055edcaf Mon Sep 17 00:00:00 2001
From: Jeremie Courreges-Anglas 
Date: Sun, 19 Nov 2017 23:12:30 +0100
Subject: [PATCH] Detect if SSL_CTX_get0_certificate is available

Don't rely on #ifdef OPENSSL/LIBRESSL_VERSION_NUMBER checks.

Signed-off-by: Jeremie Courreges-Anglas 
---
 configure.ac  | 1 +
 src/openvpn/ssl_openssl.c | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index acfddb22..ac6e7a76 100644
--- a/configure.ac
+++ b/configure.ac
@@ -925,6 +925,7 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then
 			EVP_MD_CTX_new \
 			EVP_MD_CTX_free \
 			EVP_MD_CTX_reset \
+			SSL_CTX_get0_certificate \
 			SSL_CTX_get_default_passwd_cb \
 			SSL_CTX_get_default_passwd_cb_userdata \
 			SSL_CTX_set_security_level \
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index b782946e..3df70166 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -425,7 +425,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
 
 ASSERT(ctx);
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+#ifdef HAVE_SSL_CTX_GET0_CERTIFICATE
 /* OpenSSL 1.0.2 and up */
 cert = SSL_CTX_get0_certificate(ctx->ctx);
 #else
@@ -460,7 +460,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
 }
 
 cleanup:
-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+#ifndef HAVE_SSL_CTX_GET0_CERTIFICATE
 SSL_free(ssl);
 #endif
 return;
-- 
2.15.0


-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

2017-11-19 Thread Jeremie Courreges-Anglas

On Sun, Nov 19 2017, Gert Doering  wrote:
> Hi,
>
> On Sun, Nov 19, 2017 at 09:37:56PM +0100, Gert Doering wrote:
>> .. of course this conflicts with o->renegotiate_seconds_min...
>> 
>> Nevertheless, thanks for the patch :-) - it makes my FreeBSD 10.3 
>> (mbedTLS 2.6) buildslave now happy again (on the default settings - with
>> --tls-cert-profile preferred, it refuses the old-hash cert, as it should).
>> 
>> Also tested with openssl 1.0.1, where it warns and does nothing, as
>> expected.  Good :-)
>
> I *should* have tested with LibreSSL as well...
>
> ssl_openssl.o: In function `tls_ctx_set_cert_profile':
> /home/buildbot/build-openvpn/build-cron2-openbsd-60-amd64-stable-master--disable
>  -lzo--disable-management/build/src/openvpn/ssl_openssl.c:404:
> undefined reference to `SSL_CTX_set_security_level'
> /home/buildbot/build-openvpn/build-cron2-openbsd-60-amd64-stable-master--disable-lzo--disable-management/build/src/openvpn/ssl_openssl.c:400:
>  undefined reference to `SSL_CTX_set_security_level'
>
> ... *roll eyes*
>
> (Not sure, though, why it only complains about two out of three, but
> still annoyance...  if LibreSSL claims OPENSSL_VERSION_NUMBER >= 0x1010
> it better should provide everything needed)

LibreSSL defines:

  #define OPENSSL_VERSION_NUMBER0x2000L

breaking #ifdef checks based on it.  Sadly, people tend to prefer adding

  && !defined(LIBRESSL_VERSION_NUMBER)

to fix the build, rather than doing features detection using autoconf or
similar.  openvpn can easily solve this.

> This is on OpenBSD 6.0, which happens to be something Samuli's vagrant
> setup can provide nicely if anyone wants to have a look :-)

Here's a diff, master builds and seems to run fine as a client on
OpenBSD-current.

I can cook a similar diff for the remaining OPENSSL /
LIBRESSL_VERSION_NUMBER #ifdef.

From 15315d3c3b25814a426bfc8184c4dfd262f28768 Mon Sep 17 00:00:00 2001
From: Jeremie Courreges-Anglas 
Date: Sun, 19 Nov 2017 22:57:56 +0100
Subject: [PATCH] Fix build with LibreSSL

Detect the presence of SSL_CTX_set_security_level(), don't check
OPENSSL_VERSION_NUMBER.

Signed-off-by: Jeremie Courreges-Anglas 
---
 configure.ac  | 1 +
 src/openvpn/ssl_openssl.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 7f2e34f2..acfddb22 100644
--- a/configure.ac
+++ b/configure.ac
@@ -927,6 +927,7 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then
 			EVP_MD_CTX_reset \
 			SSL_CTX_get_default_passwd_cb \
 			SSL_CTX_get_default_passwd_cb_userdata \
+			SSL_CTX_set_security_level \
 			X509_get0_pubkey \
 			X509_STORE_get0_objects \
 			X509_OBJECT_free \
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index de89cb13..b782946e 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -386,7 +386,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
 void
 tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
 {
-#if (OPENSSL_VERSION_NUMBER >= 0x1010)
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
 /* OpenSSL does not have certificate profiles, but a complex set of
  * callbacks that we could try to implement to achieve something similar.
  * For now, use OpenSSL's security levels to achieve similar (but not equal)
-- 
2.15.0


-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

2017-11-19 Thread Gert Doering

Hi,

On Sun, Nov 19, 2017 at 09:37:56PM +0100, Gert Doering wrote:
> .. of course this conflicts with o->renegotiate_seconds_min...
> 
> Nevertheless, thanks for the patch :-) - it makes my FreeBSD 10.3 
> (mbedTLS 2.6) buildslave now happy again (on the default settings - with
> --tls-cert-profile preferred, it refuses the old-hash cert, as it should).
> 
> Also tested with openssl 1.0.1, where it warns and does nothing, as
> expected.  Good :-)

I *should* have tested with LibreSSL as well...

ssl_openssl.o: In function `tls_ctx_set_cert_profile': 
/home/buildbot/build-openvpn/build-cron2-openbsd-60-amd64-stable-master--disable
 -lzo--disable-management/build/src/openvpn/ssl_openssl.c:404: undefined 
reference to `SSL_CTX_set_security_level'
/home/buildbot/build-openvpn/build-cron2-openbsd-60-amd64-stable-master--disable-lzo--disable-management/build/src/openvpn/ssl_openssl.c:400:
 undefined reference to `SSL_CTX_set_security_level'

... *roll eyes*

(Not sure, though, why it only complains about two out of three, but
still annoyance...  if LibreSSL claims OPENSSL_VERSION_NUMBER >= 0x1010
it better should provide everything needed)

This is on OpenBSD 6.0, which happens to be something Samuli's vagrant
setup can provide nicely if anyone wants to have a look :-)

gert
-- 
now what should I write here...

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

2017-11-19 Thread Gert Doering

.. of course this conflicts with o->renegotiate_seconds_min...

Nevertheless, thanks for the patch :-) - it makes my FreeBSD 10.3 
(mbedTLS 2.6) buildslave now happy again (on the default settings - with
--tls-cert-profile preferred, it refuses the old-hash cert, as it should).

Also tested with openssl 1.0.1, where it warns and does nothing, as
expected.  Good :-)

Commit subject amended according to Antonio's comment.

Your patch has been applied to the master and release/2.4 branch.

commit aba758740d26224b7b3957df221def7ab80c5802 (master)
commit 8bcabf0a1621e6ccc7a44465a73de29fd2d541b3 (release/2.4)
Author: Steffan Karger
Date:   Sun Nov 12 17:36:36 2017 +0100

 Add --tls-cert-profile option.

 Signed-off-by: Steffan Karger 
 Acked-by: Antonio Quartulli 
 Message-Id: <20171112163636.17434-1-stef...@karger.me>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15848.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

[Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

11 matches

Site Navigation

Mail list logo

Footer information