Re: [Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1
> Hi, > > On 11-04-17 19:31, David Sommerseth wrote: >> As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8. >> This also makes it possible to remove a few workaronds which was >> needed earlier, as well as some left overs from v0.9.6. >> >> This also makes ./configure really stop running unless a new enough >> OpenSSL library is found. >> >> Compile tested on RHEL7.3 and RHEL6.7 (mock chroot build), both shipping >> openssl-1.0.1e. >> >> Signed-off-by: David Sommerseth>> --- >> configure.ac | 6 >> +++--- >> doc/openvpn.8 | 1 - >> .../keying-material-exporter-demo/keyingmaterialexporter.c| 3 +-- >> sample/sample-plugins/log/log_v3.c| 3 +-- >> src/openvpn/ssl_openssl.c | 3 --- >> src/openvpn/ssl_openssl.h | 11 >> --- >> src/openvpn/ssl_verify_openssl.c | 6 >> ++ >> 7 files changed, 7 insertions(+), 26 deletions(-) >> >> diff --git a/configure.ac b/configure.ac >> index 2406ad8..acea060 100644 >> --- a/configure.ac >> +++ b/configure.ac >> @@ -859,9 +859,9 @@ if test "${enable_crypto}" = "yes" -a >> "${with_crypto_library}" = "openssl"; then >> # if the user did not explicitly specify flags, try to >> autodetect >> PKG_CHECK_MODULES( >> [OPENSSL], >> -[libcrypto >= 0.9.8, libssl >= 0.9.8], >> -[have_openssl="yes"], >> -[have_openssl="no"] # Provide if-not-found to prevent >> erroring out >> +[libcrypto >= 1.0.1, libssl >= 1.0.1], >> +[have_openssl="yes"], >> +[AC_MSG_ERROR([Minimum supported OpenSSL version is >> 1.0.1])] >> ) >> >> OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto} >> diff --git a/doc/openvpn.8 b/doc/openvpn.8 >> index a9f5db7..c3248fd 100644 >> --- a/doc/openvpn.8 >> +++ b/doc/openvpn.8 >> @@ -2773,7 +2773,6 @@ OPENVPN_PLUGIN_TLS_FINAL callback. >> Note that exporter labels have the potential to collide with existing >> PRF >> labels. In order to prevent this, labels MUST begin with "EXPORTER". >> >> -This option requires OpenSSL 1.0.1 or newer. >> .\"* >> .SS Server Mode >> Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode >> diff --git >> a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c >> b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c >> index 177977d..a72b374 100644 >> --- >> a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c >> +++ >> b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c >> @@ -143,8 +143,7 @@ session_user_set(struct session *sess, X509 *x509) >> { >> continue; >> } >> -/* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this >> workaround */ >> -unsigned char *buf = (unsigned char *)1; >> +unsigned char *buf = NULL; >> if (ASN1_STRING_to_UTF8(, val) <= 0) >> { >> continue; >> diff --git a/sample/sample-plugins/log/log_v3.c >> b/sample/sample-plugins/log/log_v3.c >> index 9037225..d3014f3 100644 >> --- a/sample/sample-plugins/log/log_v3.c >> +++ b/sample/sample-plugins/log/log_v3.c >> @@ -197,7 +197,7 @@ x509_print_info(X509 *x509crt) >> X509_NAME *x509_name; >> X509_NAME_ENTRY *ent; >> const char *objbuf; >> -unsigned char *buf; >> +unsigned char *buf = NULL; >> >> x509_name = X509_get_subject_name(x509crt); >> n = X509_NAME_entry_count(x509_name); >> @@ -228,7 +228,6 @@ x509_print_info(X509 *x509crt) >> { >> continue; >> } >> -buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b >> ASN1_STRING_to_UTF8 requires this workaround */ >> if (ASN1_STRING_to_UTF8(, val) <= 0) >> { >> continue; >> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c >> index d7cc2ba..645ccf5 100644 >> --- a/src/openvpn/ssl_openssl.c >> +++ b/src/openvpn/ssl_openssl.c >> @@ -254,10 +254,7 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, >> unsigned int ssl_flags) >> sslopt |= SSL_OP_NO_TLSv1_2; >> } >> #endif >> -#ifdef SSL_OP_NO_COMPRESSION >> -/* Disable compression - flag not available in OpenSSL 0.9.8 */ >> sslopt |= SSL_OP_NO_COMPRESSION; >> -#endif >> SSL_CTX_set_options(ctx->ctx, sslopt); >> } >> >> diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h >> index 6ca4cb6..60a1f5e 100644 >> --- a/src/openvpn/ssl_openssl.h >> +++ b/src/openvpn/ssl_openssl.h >> @@ -33,17 +33,6 @@ >> #include >> >> /** >> - * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session
Re: [Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1
Am 11.04.2017 um 23:56 schrieb David Sommerseth: > On 11/04/17 23:20, Steffan Karger wrote: >> For release/2.4: I wonder whether we need to keep 0.9.8 support, as >> SLES11 still ships with 0.9.8h, and has general support until 31 Mar 2019. > While it is James who insisted on RHEL being the oldest supported distro > many years ago, I have no issues with keeping SLES *or* RHEL as the > oldest supported distro, in regards to package dependencies. > > Do we know if we have a large group of SLES 11 users? Initially I > thought it was related to OpenVPN-NL ... until I recalled that > OPenVPN-NL should be built against mbed TLS :) How many of the enterprise users will want to update and then can't be bothered to install a newer OpenSSL into /opt? Older OpenSSL versions are EOL, I don't think the community edition should waste any energy on support such stuff. I'd even discontinue 1.0.1 support on master for the same reason because 1.0.1 is also past the end of its life. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add --tls-cert-profile option for mbedtls builds
On 10/04/17 11:15, Steffan Karger wrote: > This allows the user to specify what certificate crypto algorithms to > support. The supported profiles are 'preferred' (default), 'legacy' and > 'suiteb', as discussed in <84590a17-1c48-9df2-c48e-4160750b2...@fox-it.com> > (https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14214.html). > > This only implements the feature for mbed TLS builds, because for mbed it > is both more easy to implement and the most relevant because mbed TLS 2+ > is by default somewhat restrictive by requiring 2048-bit+ for RSA keys. > > Signed-off-by: Steffan Karger> --- > src/openvpn/options.c | 8 > src/openvpn/options.h | 1 + > src/openvpn/ssl.c | 3 +++ > src/openvpn/ssl_backend.h | 10 ++ > src/openvpn/ssl_mbedtls.c | 51 > +++ > src/openvpn/ssl_mbedtls.h | 1 + > src/openvpn/ssl_openssl.c | 6 ++ > 7 files changed, 80 insertions(+) > [...snip...] > diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c > index ba8dadf..1fcee72 100644 > --- a/src/openvpn/ssl_mbedtls.c > +++ b/src/openvpn/ssl_mbedtls.c [...snip...] > void > +tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) > +{ > +if (0 == strcmp(profile, "preferred")) While you do say in the docs that profile MAY NOT be NULL, this will cause a SEGV if it happens. Wouldn't it be better better to either report an error or ASSERT() if profile == NULL? > +{ > +ctx->cert_profile = openvpn_x509_crt_profile_preferred; > +} > +else if (0 == strcmp(profile, "legacy")) > +{ > +ctx->cert_profile = openvpn_x509_crt_profile_legacy; > +} > +else if (0 == strcmp(profile, "suiteb")) > +{ > +ctx->cert_profile = openvpn_x509_crt_profile_suiteb; > +} > +else > +{ > +msg (M_FATAL, "ERROR: Invalid cert profile: %s", profile); > +} > +} [...snip...] > --- a/src/openvpn/ssl_openssl.c > +++ b/src/openvpn/ssl_openssl.c > @@ -384,6 +384,12 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const > char *ciphers) > } > > void > +tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) > +{ > +msg (M_WARN, "WARNING: --tls-cert-profile not supported for OpenSSL"); > +} > + While I do understand the use of M_WARN here. Wouldn't it be better to use M__NONFATAL and make it more a like an "INFO" log line instead. --tls-cert-profile is a brand new feature, where certificate profiles are not (yet?) implemented for OpenSSL. So that's strictly not a warning of more critical aspects. But it is however important to highlight it. Otherwise, I think this makes sense. It would be good to have something similar for OpenSSL too, to be feature complete against mbed TLS. It seems usage() is lacking details about --tls-cert-profile for the --help screen. I have reviewed this by also comparing the implementation to what's done in OpenVPN 3 [1]. The profile declaration and enabling it seems to be very much aligned. (on a side note, I have already added a default profile for "legacy" in Fedora, as many users complained about OpenVPN breaking on Fedora 26 and newer, which also looks fairly recognisable to what is done here). I will run some real tests tomorrow. But quick smoke testing looks good. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1
On 11/04/17 23:20, Steffan Karger wrote: > Hi, > > On 11-04-17 19:31, David Sommerseth wrote: >> As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8. >> This also makes it possible to remove a few workaronds which was >> needed earlier, as well as some left overs from v0.9.6. >> >> This also makes ./configure really stop running unless a new enough >> OpenSSL library is found. >> >> Compile tested on RHEL7.3 and RHEL6.7 (mock chroot build), both shipping >> openssl-1.0.1e. >> >> Signed-off-by: David Sommerseth>> --- >> configure.ac | 6 +++--- >> doc/openvpn.8 | 1 - >> .../keying-material-exporter-demo/keyingmaterialexporter.c| 3 +-- >> sample/sample-plugins/log/log_v3.c| 3 +-- >> src/openvpn/ssl_openssl.c | 3 --- >> src/openvpn/ssl_openssl.h | 11 >> --- >> src/openvpn/ssl_verify_openssl.c | 6 ++ >> 7 files changed, 7 insertions(+), 26 deletions(-) >> [...snip...] > > For master: ACK. > > For release/2.4: I wonder whether we need to keep 0.9.8 support, as > SLES11 still ships with 0.9.8h, and has general support until 31 Mar 2019. While it is James who insisted on RHEL being the oldest supported distro many years ago, I have no issues with keeping SLES *or* RHEL as the oldest supported distro, in regards to package dependencies. Do we know if we have a large group of SLES 11 users? Initially I thought it was related to OpenVPN-NL ... until I recalled that OPenVPN-NL should be built against mbed TLS :) -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Require minimum OpenSSL 1.0.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Your patch has been applied to the master branch. commit 039a89c331e9b7998d8047ec72144097f7c5826a Author: David Sommerseth Date: Tue Apr 11 19:31:33 2017 +0200 Require minimum OpenSSL 1.0.1 Signed-off-by: David SommersethAcked-by: Steffan Karger Message-Id: <20170411173133.18060-1-dav...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14441.html Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJY7U/DAAoJEIbPlEyWcf3y/pUQAIY5NJWnRs+jYIiWSoLrPFrB PDQf4J9BO2cRFvQTvtGzCUpv7CY+uy8dM6NeGKJ3dX4HLtGn7s7gtSZpecu1gql5 Z2aOXxYATq1axyk6KfEDIpElIauT6Jh52H5Sop5RhnnMnqkSetOyxfTUQGbINkdz Z6gjt9iYUOb0zFK2JgTQUUpr+dHMYciZuirm/u+f2x06ISdSjtjxpn2eTvC0fLcN 9z3EvfalgYfHhDk1g+d86/Y+OPHmvY+1E5iiXfDy4oInODPs8FomjwGorbYAr7g7 sT44bor7G5mNlCCrVY4gR1djv5Rt6w8ac2EQdTyRkLIhCyZxAWRfyjNdHyMsy8M7 UawM50CtSPleeuTyVmVWh0ixVBupW+aAAUZQijp93rlfrh2ziteXUJZDrxc4LWsi URohP71gCnnZXlJBAvEYNoY0CDqnLAv9jESh1PKX7WXtM/pymDDoCatV0WPNKN4P lsUGU/+6tollPjGFOgxmCuc1KGymF47wfOhejWtUMonOpjt7cLh1qV48NvByMhIM SoAq5a390XHnjDLtVeeigxcgoYYtQLAIROO3rwwyXYzigF8gLd++Fjzr0NVC1EIy 62ho/BjhOMfxrdz5OXFHjeit7H/5pdy2kcqOR12oSY7m+Rlo9xwTdnOGTbZ/27NN SBoEEKOAjM1BKFnVCrL0 =vHtE -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1
Hi, On 11-04-17 19:31, David Sommerseth wrote: > As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8. > This also makes it possible to remove a few workaronds which was > needed earlier, as well as some left overs from v0.9.6. > > This also makes ./configure really stop running unless a new enough > OpenSSL library is found. > > Compile tested on RHEL7.3 and RHEL6.7 (mock chroot build), both shipping > openssl-1.0.1e. > > Signed-off-by: David Sommerseth> --- > configure.ac | 6 +++--- > doc/openvpn.8 | 1 - > .../keying-material-exporter-demo/keyingmaterialexporter.c| 3 +-- > sample/sample-plugins/log/log_v3.c| 3 +-- > src/openvpn/ssl_openssl.c | 3 --- > src/openvpn/ssl_openssl.h | 11 > --- > src/openvpn/ssl_verify_openssl.c | 6 ++ > 7 files changed, 7 insertions(+), 26 deletions(-) > > diff --git a/configure.ac b/configure.ac > index 2406ad8..acea060 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -859,9 +859,9 @@ if test "${enable_crypto}" = "yes" -a > "${with_crypto_library}" = "openssl"; then > # if the user did not explicitly specify flags, try to > autodetect > PKG_CHECK_MODULES( > [OPENSSL], > - [libcrypto >= 0.9.8, libssl >= 0.9.8], > - [have_openssl="yes"], > - [have_openssl="no"] # Provide if-not-found to prevent > erroring out > + [libcrypto >= 1.0.1, libssl >= 1.0.1], > + [have_openssl="yes"], > + [AC_MSG_ERROR([Minimum supported OpenSSL version is > 1.0.1])] > ) > > OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto} > diff --git a/doc/openvpn.8 b/doc/openvpn.8 > index a9f5db7..c3248fd 100644 > --- a/doc/openvpn.8 > +++ b/doc/openvpn.8 > @@ -2773,7 +2773,6 @@ OPENVPN_PLUGIN_TLS_FINAL callback. > Note that exporter labels have the potential to collide with existing PRF > labels. In order to prevent this, labels MUST begin with "EXPORTER". > > -This option requires OpenSSL 1.0.1 or newer. > .\"* > .SS Server Mode > Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode > diff --git > a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c > > b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c > index 177977d..a72b374 100644 > --- > a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c > +++ > b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c > @@ -143,8 +143,7 @@ session_user_set(struct session *sess, X509 *x509) > { > continue; > } > -/* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this > workaround */ > -unsigned char *buf = (unsigned char *)1; > +unsigned char *buf = NULL; > if (ASN1_STRING_to_UTF8(, val) <= 0) > { > continue; > diff --git a/sample/sample-plugins/log/log_v3.c > b/sample/sample-plugins/log/log_v3.c > index 9037225..d3014f3 100644 > --- a/sample/sample-plugins/log/log_v3.c > +++ b/sample/sample-plugins/log/log_v3.c > @@ -197,7 +197,7 @@ x509_print_info(X509 *x509crt) > X509_NAME *x509_name; > X509_NAME_ENTRY *ent; > const char *objbuf; > -unsigned char *buf; > +unsigned char *buf = NULL; > > x509_name = X509_get_subject_name(x509crt); > n = X509_NAME_entry_count(x509_name); > @@ -228,7 +228,6 @@ x509_print_info(X509 *x509crt) > { > continue; > } > -buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b > ASN1_STRING_to_UTF8 requires this workaround */ > if (ASN1_STRING_to_UTF8(, val) <= 0) > { > continue; > diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c > index d7cc2ba..645ccf5 100644 > --- a/src/openvpn/ssl_openssl.c > +++ b/src/openvpn/ssl_openssl.c > @@ -254,10 +254,7 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned > int ssl_flags) > sslopt |= SSL_OP_NO_TLSv1_2; > } > #endif > -#ifdef SSL_OP_NO_COMPRESSION > -/* Disable compression - flag not available in OpenSSL 0.9.8 */ > sslopt |= SSL_OP_NO_COMPRESSION; > -#endif > SSL_CTX_set_options(ctx->ctx, sslopt); > } > > diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h > index 6ca4cb6..60a1f5e 100644 > --- a/src/openvpn/ssl_openssl.h > +++ b/src/openvpn/ssl_openssl.h > @@ -33,17 +33,6 @@ > #include > > /** > - * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption", > - * as this is something we do not want nor need, but could potentially be > - *
[Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1
As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8. This also makes it possible to remove a few workaronds which was needed earlier, as well as some left overs from v0.9.6. This also makes ./configure really stop running unless a new enough OpenSSL library is found. Compile tested on RHEL7.3 and RHEL6.7 (mock chroot build), both shipping openssl-1.0.1e. Signed-off-by: David Sommerseth--- configure.ac | 6 +++--- doc/openvpn.8 | 1 - .../keying-material-exporter-demo/keyingmaterialexporter.c| 3 +-- sample/sample-plugins/log/log_v3.c| 3 +-- src/openvpn/ssl_openssl.c | 3 --- src/openvpn/ssl_openssl.h | 11 --- src/openvpn/ssl_verify_openssl.c | 6 ++ 7 files changed, 7 insertions(+), 26 deletions(-) diff --git a/configure.ac b/configure.ac index 2406ad8..acea060 100644 --- a/configure.ac +++ b/configure.ac @@ -859,9 +859,9 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then # if the user did not explicitly specify flags, try to autodetect PKG_CHECK_MODULES( [OPENSSL], - [libcrypto >= 0.9.8, libssl >= 0.9.8], - [have_openssl="yes"], - [have_openssl="no"] # Provide if-not-found to prevent erroring out + [libcrypto >= 1.0.1, libssl >= 1.0.1], + [have_openssl="yes"], + [AC_MSG_ERROR([Minimum supported OpenSSL version is 1.0.1])] ) OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto} diff --git a/doc/openvpn.8 b/doc/openvpn.8 index a9f5db7..c3248fd 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2773,7 +2773,6 @@ OPENVPN_PLUGIN_TLS_FINAL callback. Note that exporter labels have the potential to collide with existing PRF labels. In order to prevent this, labels MUST begin with "EXPORTER". -This option requires OpenSSL 1.0.1 or newer. .\"* .SS Server Mode Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode diff --git a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c index 177977d..a72b374 100644 --- a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c +++ b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c @@ -143,8 +143,7 @@ session_user_set(struct session *sess, X509 *x509) { continue; } -/* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ -unsigned char *buf = (unsigned char *)1; +unsigned char *buf = NULL; if (ASN1_STRING_to_UTF8(, val) <= 0) { continue; diff --git a/sample/sample-plugins/log/log_v3.c b/sample/sample-plugins/log/log_v3.c index 9037225..d3014f3 100644 --- a/sample/sample-plugins/log/log_v3.c +++ b/sample/sample-plugins/log/log_v3.c @@ -197,7 +197,7 @@ x509_print_info(X509 *x509crt) X509_NAME *x509_name; X509_NAME_ENTRY *ent; const char *objbuf; -unsigned char *buf; +unsigned char *buf = NULL; x509_name = X509_get_subject_name(x509crt); n = X509_NAME_entry_count(x509_name); @@ -228,7 +228,6 @@ x509_print_info(X509 *x509crt) { continue; } -buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ if (ASN1_STRING_to_UTF8(, val) <= 0) { continue; diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index d7cc2ba..645ccf5 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -254,10 +254,7 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) sslopt |= SSL_OP_NO_TLSv1_2; } #endif -#ifdef SSL_OP_NO_COMPRESSION -/* Disable compression - flag not available in OpenSSL 0.9.8 */ sslopt |= SSL_OP_NO_COMPRESSION; -#endif SSL_CTX_set_options(ctx->ctx, sslopt); } diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h index 6ca4cb6..60a1f5e 100644 --- a/src/openvpn/ssl_openssl.h +++ b/src/openvpn/ssl_openssl.h @@ -33,17 +33,6 @@ #include /** - * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption", - * as this is something we do not want nor need, but could potentially be - * used for a future attack. For compatibility reasons we keep building if the - * OpenSSL version is too old (pre-0.9.8f) to support stateless session - * resumption (and the accompanying SSL_OP_NO_TICKET flag). - */ -#ifndef SSL_OP_NO_TICKET -#define SSL_OP_NO_TICKET 0 -#endif -
Re: [Openvpn-devel] [PATCH applied] Make --cipher/--auth none more explicit on the risks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Just a commit time correction added, fixing wrong spelling of RECONSIDER. Patch has been applied to the following branches commit 7a1b6a0dd706a81897457b0456a951c0b30bbcfb (master) commit 1935729fe6d6badd978e9dfdd3402857b3d000a0 (release/2.4) commit 32b5cb60e354f486c98408e6870af3a9c03ff865 (release/2.3) Author: David Sommerseth Date: Tue Apr 11 00:28:28 2017 +0200 Make --cipher/--auth none more explicit on the risks Signed-off-by: David SommersethAcked-by: Steffan Karger Message-Id: <20170410222828.23612-1-dav...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14436.html Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJY7O9WAAoJEIbPlEyWcf3yQ08P/3/bWCmGRHPXMwMDdcs4mmyf Hna9ObtuAMqT4wYUAIGAXpzmpaVJtxteIGV7ahWLZVxiYrjeKSHrICRhZJOQ7ji6 RKbmPlZ9VeICUwY59d/I37q6d69gCsFpz9D8KSb4XyklJ+/UUILvEimbJAvFpu8C +l0mFOinQxPkRJMKvU54Ry+yrgHRBvEPUI8X3ni8g97ZRVu1VQe81Kfc5y94WB6v RGQ/9YS4jeE0LgMI7PinMdD5esfcJQ9opTZaiXtApxz+YLTTyLFSrCiTX/gE3xUb vUCcTxfM8iPAYqCVWiX/ep7Z+npPugmzpDWq+gbxPvGPtbCluuw3lXdzT3Wq6EJw wfFT2GFoY4CtK7ynEt6ibjDuBzeSBXyqOHd0wlpU272H99P4li8DtBn6N6XzBCr8 zfxPt00AUgo+eSYSVFdF3dZqjTFSWEO2SlS+L6zAekJOCSibIRFYU/BFC67hpvoO 50Qp66EK1PDtcW3oMQBwUfV2TcFDrflBL99nk34P2+YyIiscvj2DoaT+PTkwNLz7 Opy+16q7TIg2VhRgqi5gx03Ji0k/nAF01qjJOyyqBLFK7SKD85zCCIsV9TZMK09f TqPsQwtLeb/pNaZYIE2SVnExgYOpAJxLkPwkN93v7WvzBvFsCWxRbJjiN8Zjvu0G j47g3fFaHNuN4UYWYmT7 =C6Nl -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Make --cipher/--auth none more explicit on the risks
On 11-04-17 10:55, David Sommerseth wrote: > On 11/04/17 06:26, Simon Matter wrote: >>> The warning provided to --cipher and --auth using the 'none' setting may >>> not have been too clearly understandable to non-developers or people not >>> fully understanding encryption and cryptography. This tries to improve >>> that. >>> >>> While at it, also break up the long source lines. >>> >>> Signed-off-by: David Sommerseth>>> --- >>> src/openvpn/crypto.c | 11 +-- >>> src/openvpn/init.c | 5 - >>> 2 files changed, 13 insertions(+), 3 deletions(-) >>> >>> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c >>> index 909f725..8a5c723 100644 >>> --- a/src/openvpn/crypto.c >>> +++ b/src/openvpn/crypto.c >>> @@ -784,7 +784,10 @@ init_key_type(struct key_type *kt, const char >>> *ciphername, >>> { >>> if (warn) >>> { >>> -msg(M_WARN, "*** WARNING ***: null cipher specified, >>> no encryption will be used"); >>> +msg(M_WARN, "*** WARNING ***: '--cipher none' was >>> specified. " >>> +"This means NO encryption will be performed and tunnelled >>> " >>> +"data WILL be transmitted in clear text over the network! >>> " >>> +"PLEASE DO RECONIDER THIS SETTING!"); >> >> Hi >> >> Small typos, you may want to 's/RECONIDER/RECONSIDER/g' the patches. > > Meh, yeah, sorry about that. That need to be fixed, but also something > I can fix on-the-fly at commit time; that's an uncritical last minute > change. Just need an ACK first ;-) ACK if you fix the typos :) -Steffan signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Make --cipher/--auth none more explicit on the risks
On 11/04/17 06:26, Simon Matter wrote: >> The warning provided to --cipher and --auth using the 'none' setting may >> not have been too clearly understandable to non-developers or people not >> fully understanding encryption and cryptography. This tries to improve >> that. >> >> While at it, also break up the long source lines. >> >> Signed-off-by: David Sommerseth>> --- >> src/openvpn/crypto.c | 11 +-- >> src/openvpn/init.c | 5 - >> 2 files changed, 13 insertions(+), 3 deletions(-) >> >> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c >> index 909f725..8a5c723 100644 >> --- a/src/openvpn/crypto.c >> +++ b/src/openvpn/crypto.c >> @@ -784,7 +784,10 @@ init_key_type(struct key_type *kt, const char >> *ciphername, >> { >> if (warn) >> { >> -msg(M_WARN, "*** WARNING ***: null cipher specified, >> no encryption will be used"); >> +msg(M_WARN, "*** WARNING ***: '--cipher none' was >> specified. " >> +"This means NO encryption will be performed and tunnelled >> " >> +"data WILL be transmitted in clear text over the network! >> " >> +"PLEASE DO RECONIDER THIS SETTING!"); > > Hi > > Small typos, you may want to 's/RECONIDER/RECONSIDER/g' the patches. Meh, yeah, sorry about that. That need to be fixed, but also something I can fix on-the-fly at commit time; that's an uncritical last minute change. Just need an ACK first ;-) -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel