date:20170411

Re: [Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1

2017-04-11 Thread Simon Matter

> Hi,
>
> On 11-04-17 19:31, David Sommerseth wrote:
>> As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8.
>> This also makes it possible to remove a few workaronds which was
>> needed earlier, as well as some left overs from v0.9.6.
>>
>> This also makes ./configure really stop running unless a new enough
>> OpenSSL library is found.
>>
>> Compile tested on RHEL7.3 and RHEL6.7 (mock chroot build), both shipping
>> openssl-1.0.1e.
>>
>> Signed-off-by: David Sommerseth 
>> ---
>>  configure.ac  |  6
>> +++---
>>  doc/openvpn.8 |  1 -
>>  .../keying-material-exporter-demo/keyingmaterialexporter.c|  3 +--
>>  sample/sample-plugins/log/log_v3.c|  3 +--
>>  src/openvpn/ssl_openssl.c |  3 ---
>>  src/openvpn/ssl_openssl.h | 11
>> ---
>>  src/openvpn/ssl_verify_openssl.c  |  6
>> ++
>>  7 files changed, 7 insertions(+), 26 deletions(-)
>>
>> diff --git a/configure.ac b/configure.ac
>> index 2406ad8..acea060 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -859,9 +859,9 @@ if test "${enable_crypto}" = "yes" -a
>> "${with_crypto_library}" = "openssl"; then
>>  # if the user did not explicitly specify flags, try to 
>> autodetect
>>  PKG_CHECK_MODULES(
>>  [OPENSSL],
>> -[libcrypto >= 0.9.8, libssl >= 0.9.8],
>> -[have_openssl="yes"],
>> -[have_openssl="no"] # Provide if-not-found to prevent 
>> erroring out
>> +[libcrypto >= 1.0.1, libssl >= 1.0.1],
>> +[have_openssl="yes"],
>> +[AC_MSG_ERROR([Minimum supported OpenSSL version is 
>> 1.0.1])]
>>  )
>>
>>  OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto}
>> diff --git a/doc/openvpn.8 b/doc/openvpn.8
>> index a9f5db7..c3248fd 100644
>> --- a/doc/openvpn.8
>> +++ b/doc/openvpn.8
>> @@ -2773,7 +2773,6 @@ OPENVPN_PLUGIN_TLS_FINAL callback.
>>  Note that exporter labels have the potential to collide with existing
>> PRF
>>  labels. In order to prevent this, labels MUST begin with "EXPORTER".
>>
>> -This option requires OpenSSL 1.0.1 or newer.
>>  .\"*
>>  .SS Server Mode
>>  Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode
>> diff --git
>> a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
>> b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
>> index 177977d..a72b374 100644
>> ---
>> a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
>> +++
>> b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
>> @@ -143,8 +143,7 @@ session_user_set(struct session *sess, X509 *x509)
>>  {
>>  continue;
>>  }
>> -/* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this
>> workaround */
>> -unsigned char *buf = (unsigned char *)1;
>> +unsigned char *buf = NULL;
>>  if (ASN1_STRING_to_UTF8(, val) <= 0)
>>  {
>>  continue;
>> diff --git a/sample/sample-plugins/log/log_v3.c
>> b/sample/sample-plugins/log/log_v3.c
>> index 9037225..d3014f3 100644
>> --- a/sample/sample-plugins/log/log_v3.c
>> +++ b/sample/sample-plugins/log/log_v3.c
>> @@ -197,7 +197,7 @@ x509_print_info(X509 *x509crt)
>>  X509_NAME *x509_name;
>>  X509_NAME_ENTRY *ent;
>>  const char *objbuf;
>> -unsigned char *buf;
>> +unsigned char *buf = NULL;
>>
>>  x509_name = X509_get_subject_name(x509crt);
>>  n = X509_NAME_entry_count(x509_name);
>> @@ -228,7 +228,6 @@ x509_print_info(X509 *x509crt)
>>  {
>>  continue;
>>  }
>> -buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b
>> ASN1_STRING_to_UTF8 requires this workaround */
>>  if (ASN1_STRING_to_UTF8(, val) <= 0)
>>  {
>>  continue;
>> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
>> index d7cc2ba..645ccf5 100644
>> --- a/src/openvpn/ssl_openssl.c
>> +++ b/src/openvpn/ssl_openssl.c
>> @@ -254,10 +254,7 @@ tls_ctx_set_options(struct tls_root_ctx *ctx,
>> unsigned int ssl_flags)
>>  sslopt |= SSL_OP_NO_TLSv1_2;
>>  }
>>  #endif
>> -#ifdef SSL_OP_NO_COMPRESSION
>> -/* Disable compression - flag not available in OpenSSL 0.9.8 */
>>  sslopt |= SSL_OP_NO_COMPRESSION;
>> -#endif
>>  SSL_CTX_set_options(ctx->ctx, sslopt);
>>  }
>>
>> diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h
>> index 6ca4cb6..60a1f5e 100644
>> --- a/src/openvpn/ssl_openssl.h
>> +++ b/src/openvpn/ssl_openssl.h
>> @@ -33,17 +33,6 @@
>>  #include 
>>
>>  /**
>> - * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session

Re: [Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1

2017-04-11 Thread Matthias Andree

Am 11.04.2017 um 23:56 schrieb David Sommerseth:
> On 11/04/17 23:20, Steffan Karger wrote:
>> For release/2.4: I wonder whether we need to keep 0.9.8 support, as
>> SLES11 still ships with 0.9.8h, and has general support until 31 Mar 2019.
> While it is James who insisted on RHEL being the oldest supported distro
> many years ago, I have no issues with keeping SLES *or* RHEL as the
> oldest supported distro, in regards to package dependencies.
>
> Do we know if we have a large group of SLES 11 users?  Initially I
> thought it was related to OpenVPN-NL ... until I recalled that
> OPenVPN-NL should be built against mbed TLS :)

How many of the enterprise users will want to update and then can't be
bothered to install a newer OpenSSL into /opt?
Older OpenSSL versions are EOL, I don't think the community edition
should waste any energy on support such stuff. I'd even discontinue
1.0.1 support on master for the same reason because 1.0.1 is also past
the end of its life.


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Add --tls-cert-profile option for mbedtls builds

2017-04-11 Thread David Sommerseth

On 10/04/17 11:15, Steffan Karger wrote:
> This allows the user to specify what certificate crypto algorithms to
> support.  The supported profiles are 'preferred' (default), 'legacy' and
> 'suiteb', as discussed in <84590a17-1c48-9df2-c48e-4160750b2...@fox-it.com>
> (https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14214.html).
> 
> This only implements the feature for mbed TLS builds, because for mbed it
> is both more easy to implement and the most relevant because mbed TLS 2+
> is by default somewhat restrictive by requiring 2048-bit+ for RSA keys.
> 
> Signed-off-by: Steffan Karger 
> ---
>  src/openvpn/options.c |  8 
>  src/openvpn/options.h |  1 +
>  src/openvpn/ssl.c |  3 +++
>  src/openvpn/ssl_backend.h | 10 ++
>  src/openvpn/ssl_mbedtls.c | 51 
> +++
>  src/openvpn/ssl_mbedtls.h |  1 +
>  src/openvpn/ssl_openssl.c |  6 ++
>  7 files changed, 80 insertions(+)
> 
[...snip...]
> diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
> index ba8dadf..1fcee72 100644
> --- a/src/openvpn/ssl_mbedtls.c
> +++ b/src/openvpn/ssl_mbedtls.c
[...snip...]
>  void
> +tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
> +{
> +if (0 == strcmp(profile, "preferred"))

While you do say in the docs that profile MAY NOT be NULL, this will
cause a SEGV if it happens.  Wouldn't it be better better to either
report an error or ASSERT() if profile == NULL?

> +{
> +ctx->cert_profile = openvpn_x509_crt_profile_preferred;
> +}
> +else if (0 == strcmp(profile, "legacy"))
> +{
> +ctx->cert_profile = openvpn_x509_crt_profile_legacy;
> +}
> +else if (0 == strcmp(profile, "suiteb"))
> +{
> +ctx->cert_profile = openvpn_x509_crt_profile_suiteb;
> +}
> +else
> +{
> +msg (M_FATAL, "ERROR: Invalid cert profile: %s", profile);
> +}
> +}
[...snip...]
> --- a/src/openvpn/ssl_openssl.c
> +++ b/src/openvpn/ssl_openssl.c
> @@ -384,6 +384,12 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const 
> char *ciphers)
>  }
>  
>  void
> +tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
> +{
> +msg (M_WARN, "WARNING: --tls-cert-profile not supported for OpenSSL");
> +}
> +

While I do understand the use of M_WARN here.  Wouldn't it be better to
use M__NONFATAL and make it more a like an "INFO" log line instead.
--tls-cert-profile is a brand new feature, where certificate profiles
are not (yet?) implemented for OpenSSL.  So that's strictly not a
warning of more critical aspects.  But it is however important to
highlight it.

Otherwise, I think this makes sense.  It would be good to have something
similar for OpenSSL too, to be feature complete against mbed TLS.

It seems usage() is lacking details about --tls-cert-profile for the
--help screen.

I have reviewed this by also comparing the implementation to what's done
in OpenVPN 3 [1].  The profile declaration and enabling it seems to be
very much aligned.  (on a side note, I have already added a default
profile for "legacy" in Fedora, as many users complained about OpenVPN
breaking on Fedora 26 and newer, which also looks fairly recognisable to
what is done here).

I will run some real tests tomorrow.  But quick smoke testing looks good.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1

2017-04-11 Thread David Sommerseth

On 11/04/17 23:20, Steffan Karger wrote:
> Hi,
> 
> On 11-04-17 19:31, David Sommerseth wrote:
>> As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8.
>> This also makes it possible to remove a few workaronds which was
>> needed earlier, as well as some left overs from v0.9.6.
>>
>> This also makes ./configure really stop running unless a new enough
>> OpenSSL library is found.
>>
>> Compile tested on RHEL7.3 and RHEL6.7 (mock chroot build), both shipping
>> openssl-1.0.1e.
>>
>> Signed-off-by: David Sommerseth 
>> ---
>>  configure.ac  |  6 +++---
>>  doc/openvpn.8 |  1 -
>>  .../keying-material-exporter-demo/keyingmaterialexporter.c|  3 +--
>>  sample/sample-plugins/log/log_v3.c|  3 +--
>>  src/openvpn/ssl_openssl.c |  3 ---
>>  src/openvpn/ssl_openssl.h | 11 
>> ---
>>  src/openvpn/ssl_verify_openssl.c  |  6 ++
>>  7 files changed, 7 insertions(+), 26 deletions(-)
>>
[...snip...]
> 
> For master: ACK.
> 
> For release/2.4: I wonder whether we need to keep 0.9.8 support, as
> SLES11 still ships with 0.9.8h, and has general support until 31 Mar 2019.

While it is James who insisted on RHEL being the oldest supported distro
many years ago, I have no issues with keeping SLES *or* RHEL as the
oldest supported distro, in regards to package dependencies.

Do we know if we have a large group of SLES 11 users?  Initially I
thought it was related to OpenVPN-NL ... until I recalled that
OPenVPN-NL should be built against mbed TLS :)


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Require minimum OpenSSL 1.0.1

2017-04-11 Thread David Sommerseth

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


Your patch has been applied to the master branch.

commit 039a89c331e9b7998d8047ec72144097f7c5826a
Author: David Sommerseth
Date:   Tue Apr 11 19:31:33 2017 +0200

 Require minimum OpenSSL 1.0.1

 Signed-off-by: David Sommerseth 
 Acked-by: Steffan Karger 
 Message-Id: <20170411173133.18060-1-dav...@openvpn.net>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14441.html
 Signed-off-by: David Sommerseth 


- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJY7U/DAAoJEIbPlEyWcf3y/pUQAIY5NJWnRs+jYIiWSoLrPFrB
PDQf4J9BO2cRFvQTvtGzCUpv7CY+uy8dM6NeGKJ3dX4HLtGn7s7gtSZpecu1gql5
Z2aOXxYATq1axyk6KfEDIpElIauT6Jh52H5Sop5RhnnMnqkSetOyxfTUQGbINkdz
Z6gjt9iYUOb0zFK2JgTQUUpr+dHMYciZuirm/u+f2x06ISdSjtjxpn2eTvC0fLcN
9z3EvfalgYfHhDk1g+d86/Y+OPHmvY+1E5iiXfDy4oInODPs8FomjwGorbYAr7g7
sT44bor7G5mNlCCrVY4gR1djv5Rt6w8ac2EQdTyRkLIhCyZxAWRfyjNdHyMsy8M7
UawM50CtSPleeuTyVmVWh0ixVBupW+aAAUZQijp93rlfrh2ziteXUJZDrxc4LWsi
URohP71gCnnZXlJBAvEYNoY0CDqnLAv9jESh1PKX7WXtM/pymDDoCatV0WPNKN4P
lsUGU/+6tollPjGFOgxmCuc1KGymF47wfOhejWtUMonOpjt7cLh1qV48NvByMhIM
SoAq5a390XHnjDLtVeeigxcgoYYtQLAIROO3rwwyXYzigF8gLd++Fjzr0NVC1EIy
62ho/BjhOMfxrdz5OXFHjeit7H/5pdy2kcqOR12oSY7m+Rlo9xwTdnOGTbZ/27NN
SBoEEKOAjM1BKFnVCrL0
=vHtE
-END PGP SIGNATURE-

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1

2017-04-11 Thread Steffan Karger

Hi,

On 11-04-17 19:31, David Sommerseth wrote:
> As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8.
> This also makes it possible to remove a few workaronds which was
> needed earlier, as well as some left overs from v0.9.6.
> 
> This also makes ./configure really stop running unless a new enough
> OpenSSL library is found.
> 
> Compile tested on RHEL7.3 and RHEL6.7 (mock chroot build), both shipping
> openssl-1.0.1e.
> 
> Signed-off-by: David Sommerseth 
> ---
>  configure.ac  |  6 +++---
>  doc/openvpn.8 |  1 -
>  .../keying-material-exporter-demo/keyingmaterialexporter.c|  3 +--
>  sample/sample-plugins/log/log_v3.c|  3 +--
>  src/openvpn/ssl_openssl.c |  3 ---
>  src/openvpn/ssl_openssl.h | 11 
> ---
>  src/openvpn/ssl_verify_openssl.c  |  6 ++
>  7 files changed, 7 insertions(+), 26 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index 2406ad8..acea060 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -859,9 +859,9 @@ if test "${enable_crypto}" = "yes" -a 
> "${with_crypto_library}" = "openssl"; then
>   # if the user did not explicitly specify flags, try to 
> autodetect
>   PKG_CHECK_MODULES(
>   [OPENSSL],
> - [libcrypto >= 0.9.8, libssl >= 0.9.8],
> - [have_openssl="yes"],
> - [have_openssl="no"] # Provide if-not-found to prevent 
> erroring out
> + [libcrypto >= 1.0.1, libssl >= 1.0.1],
> + [have_openssl="yes"],
> + [AC_MSG_ERROR([Minimum supported OpenSSL version is 
> 1.0.1])]
>   )
>  
>   OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto}
> diff --git a/doc/openvpn.8 b/doc/openvpn.8
> index a9f5db7..c3248fd 100644
> --- a/doc/openvpn.8
> +++ b/doc/openvpn.8
> @@ -2773,7 +2773,6 @@ OPENVPN_PLUGIN_TLS_FINAL callback.
>  Note that exporter labels have the potential to collide with existing PRF
>  labels. In order to prevent this, labels MUST begin with "EXPORTER".
>  
> -This option requires OpenSSL 1.0.1 or newer.
>  .\"*
>  .SS Server Mode
>  Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode
> diff --git 
> a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
>  
> b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
> index 177977d..a72b374 100644
> --- 
> a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
> +++ 
> b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
> @@ -143,8 +143,7 @@ session_user_set(struct session *sess, X509 *x509)
>  {
>  continue;
>  }
> -/* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this 
> workaround */
> -unsigned char *buf = (unsigned char *)1;
> +unsigned char *buf = NULL;
>  if (ASN1_STRING_to_UTF8(, val) <= 0)
>  {
>  continue;
> diff --git a/sample/sample-plugins/log/log_v3.c 
> b/sample/sample-plugins/log/log_v3.c
> index 9037225..d3014f3 100644
> --- a/sample/sample-plugins/log/log_v3.c
> +++ b/sample/sample-plugins/log/log_v3.c
> @@ -197,7 +197,7 @@ x509_print_info(X509 *x509crt)
>  X509_NAME *x509_name;
>  X509_NAME_ENTRY *ent;
>  const char *objbuf;
> -unsigned char *buf;
> +unsigned char *buf = NULL;
>  
>  x509_name = X509_get_subject_name(x509crt);
>  n = X509_NAME_entry_count(x509_name);
> @@ -228,7 +228,6 @@ x509_print_info(X509 *x509crt)
>  {
>  continue;
>  }
> -buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b 
> ASN1_STRING_to_UTF8 requires this workaround */
>  if (ASN1_STRING_to_UTF8(, val) <= 0)
>  {
>  continue;
> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> index d7cc2ba..645ccf5 100644
> --- a/src/openvpn/ssl_openssl.c
> +++ b/src/openvpn/ssl_openssl.c
> @@ -254,10 +254,7 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned 
> int ssl_flags)
>  sslopt |= SSL_OP_NO_TLSv1_2;
>  }
>  #endif
> -#ifdef SSL_OP_NO_COMPRESSION
> -/* Disable compression - flag not available in OpenSSL 0.9.8 */
>  sslopt |= SSL_OP_NO_COMPRESSION;
> -#endif
>  SSL_CTX_set_options(ctx->ctx, sslopt);
>  }
>  
> diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h
> index 6ca4cb6..60a1f5e 100644
> --- a/src/openvpn/ssl_openssl.h
> +++ b/src/openvpn/ssl_openssl.h
> @@ -33,17 +33,6 @@
>  #include 
>  
>  /**
> - * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption",
> - * as this is something we do not want nor need, but could potentially be
> - *

[Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1

2017-04-11 Thread David Sommerseth

As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8.
This also makes it possible to remove a few workaronds which was
needed earlier, as well as some left overs from v0.9.6.

This also makes ./configure really stop running unless a new enough
OpenSSL library is found.

Compile tested on RHEL7.3 and RHEL6.7 (mock chroot build), both shipping
openssl-1.0.1e.

Signed-off-by: David Sommerseth 
---
 configure.ac  |  6 +++---
 doc/openvpn.8 |  1 -
 .../keying-material-exporter-demo/keyingmaterialexporter.c|  3 +--
 sample/sample-plugins/log/log_v3.c|  3 +--
 src/openvpn/ssl_openssl.c |  3 ---
 src/openvpn/ssl_openssl.h | 11 ---
 src/openvpn/ssl_verify_openssl.c  |  6 ++
 7 files changed, 7 insertions(+), 26 deletions(-)

diff --git a/configure.ac b/configure.ac
index 2406ad8..acea060 100644
--- a/configure.ac
+++ b/configure.ac
@@ -859,9 +859,9 @@ if test "${enable_crypto}" = "yes" -a 
"${with_crypto_library}" = "openssl"; then
# if the user did not explicitly specify flags, try to 
autodetect
PKG_CHECK_MODULES(
[OPENSSL],
-   [libcrypto >= 0.9.8, libssl >= 0.9.8],
-   [have_openssl="yes"],
-   [have_openssl="no"] # Provide if-not-found to prevent 
erroring out
+   [libcrypto >= 1.0.1, libssl >= 1.0.1],
+   [have_openssl="yes"],
+   [AC_MSG_ERROR([Minimum supported OpenSSL version is 
1.0.1])]
)
 
OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto}
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index a9f5db7..c3248fd 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2773,7 +2773,6 @@ OPENVPN_PLUGIN_TLS_FINAL callback.
 Note that exporter labels have the potential to collide with existing PRF
 labels. In order to prevent this, labels MUST begin with "EXPORTER".
 
-This option requires OpenSSL 1.0.1 or newer.
 .\"*
 .SS Server Mode
 Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode
diff --git 
a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c 
b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
index 177977d..a72b374 100644
--- 
a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
+++ 
b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
@@ -143,8 +143,7 @@ session_user_set(struct session *sess, X509 *x509)
 {
 continue;
 }
-/* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround 
*/
-unsigned char *buf = (unsigned char *)1;
+unsigned char *buf = NULL;
 if (ASN1_STRING_to_UTF8(, val) <= 0)
 {
 continue;
diff --git a/sample/sample-plugins/log/log_v3.c 
b/sample/sample-plugins/log/log_v3.c
index 9037225..d3014f3 100644
--- a/sample/sample-plugins/log/log_v3.c
+++ b/sample/sample-plugins/log/log_v3.c
@@ -197,7 +197,7 @@ x509_print_info(X509 *x509crt)
 X509_NAME *x509_name;
 X509_NAME_ENTRY *ent;
 const char *objbuf;
-unsigned char *buf;
+unsigned char *buf = NULL;
 
 x509_name = X509_get_subject_name(x509crt);
 n = X509_NAME_entry_count(x509_name);
@@ -228,7 +228,6 @@ x509_print_info(X509 *x509crt)
 {
 continue;
 }
-buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 
requires this workaround */
 if (ASN1_STRING_to_UTF8(, val) <= 0)
 {
 continue;
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index d7cc2ba..645ccf5 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -254,10 +254,7 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int 
ssl_flags)
 sslopt |= SSL_OP_NO_TLSv1_2;
 }
 #endif
-#ifdef SSL_OP_NO_COMPRESSION
-/* Disable compression - flag not available in OpenSSL 0.9.8 */
 sslopt |= SSL_OP_NO_COMPRESSION;
-#endif
 SSL_CTX_set_options(ctx->ctx, sslopt);
 }
 
diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h
index 6ca4cb6..60a1f5e 100644
--- a/src/openvpn/ssl_openssl.h
+++ b/src/openvpn/ssl_openssl.h
@@ -33,17 +33,6 @@
 #include 
 
 /**
- * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption",
- * as this is something we do not want nor need, but could potentially be
- * used for a future attack.  For compatibility reasons we keep building if the
- * OpenSSL version is too old (pre-0.9.8f) to support stateless session
- * resumption (and the accompanying SSL_OP_NO_TICKET flag).
- */
-#ifndef SSL_OP_NO_TICKET
-#define SSL_OP_NO_TICKET 0
-#endif
-

Re: [Openvpn-devel] [PATCH applied] Make --cipher/--auth none more explicit on the risks

2017-04-11 Thread David Sommerseth

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Just a commit time correction added, fixing wrong spelling of RECONSIDER.

Patch has been applied to the following branches

commit 7a1b6a0dd706a81897457b0456a951c0b30bbcfb  (master)
commit 1935729fe6d6badd978e9dfdd3402857b3d000a0  (release/2.4)
commit 32b5cb60e354f486c98408e6870af3a9c03ff865  (release/2.3)

Author: David Sommerseth
Date:   Tue Apr 11 00:28:28 2017 +0200

 Make --cipher/--auth none more explicit on the risks

 Signed-off-by: David Sommerseth 
 Acked-by: Steffan Karger 
 Message-Id: <20170410222828.23612-1-dav...@openvpn.net>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14436.html
 Signed-off-by: David Sommerseth 


- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJY7O9WAAoJEIbPlEyWcf3yQ08P/3/bWCmGRHPXMwMDdcs4mmyf
Hna9ObtuAMqT4wYUAIGAXpzmpaVJtxteIGV7ahWLZVxiYrjeKSHrICRhZJOQ7ji6
RKbmPlZ9VeICUwY59d/I37q6d69gCsFpz9D8KSb4XyklJ+/UUILvEimbJAvFpu8C
+l0mFOinQxPkRJMKvU54Ry+yrgHRBvEPUI8X3ni8g97ZRVu1VQe81Kfc5y94WB6v
RGQ/9YS4jeE0LgMI7PinMdD5esfcJQ9opTZaiXtApxz+YLTTyLFSrCiTX/gE3xUb
vUCcTxfM8iPAYqCVWiX/ep7Z+npPugmzpDWq+gbxPvGPtbCluuw3lXdzT3Wq6EJw
wfFT2GFoY4CtK7ynEt6ibjDuBzeSBXyqOHd0wlpU272H99P4li8DtBn6N6XzBCr8
zfxPt00AUgo+eSYSVFdF3dZqjTFSWEO2SlS+L6zAekJOCSibIRFYU/BFC67hpvoO
50Qp66EK1PDtcW3oMQBwUfV2TcFDrflBL99nk34P2+YyIiscvj2DoaT+PTkwNLz7
Opy+16q7TIg2VhRgqi5gx03Ji0k/nAF01qjJOyyqBLFK7SKD85zCCIsV9TZMK09f
TqPsQwtLeb/pNaZYIE2SVnExgYOpAJxLkPwkN93v7WvzBvFsCWxRbJjiN8Zjvu0G
j47g3fFaHNuN4UYWYmT7
=C6Nl
-END PGP SIGNATURE-

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Make --cipher/--auth none more explicit on the risks

2017-04-11 Thread Steffan Karger

On 11-04-17 10:55, David Sommerseth wrote:
> On 11/04/17 06:26, Simon Matter wrote:
>>> The warning provided to --cipher and --auth using the 'none' setting may
>>> not have been too clearly understandable to non-developers or people not
>>> fully understanding encryption and cryptography.  This tries to improve
>>> that.
>>>
>>> While at it, also break up the long source lines.
>>>
>>> Signed-off-by: David Sommerseth 
>>> ---
>>>  src/openvpn/crypto.c | 11 +--
>>>  src/openvpn/init.c   |  5 -
>>>  2 files changed, 13 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
>>> index 909f725..8a5c723 100644
>>> --- a/src/openvpn/crypto.c
>>> +++ b/src/openvpn/crypto.c
>>> @@ -784,7 +784,10 @@ init_key_type(struct key_type *kt, const char
>>> *ciphername,
>>>  {
>>>  if (warn)
>>>  {
>>> -msg(M_WARN, "*** WARNING ***: null cipher specified,
>>> no encryption will be used");
>>> +msg(M_WARN, "*** WARNING ***: '--cipher none' was
>>> specified. "
>>> +"This means NO encryption will be performed and tunnelled
>>> "
>>> +"data WILL be transmitted in clear text over the network!
>>> "
>>> +"PLEASE DO RECONIDER THIS SETTING!");
>>
>> Hi
>>
>> Small typos, you may want to 's/RECONIDER/RECONSIDER/g' the patches.
> 
> Meh, yeah, sorry about that.  That need to be fixed, but also something
> I can fix on-the-fly at commit time; that's an uncritical last minute
> change.  Just need an ACK first ;-)

ACK if you fix the typos :)

-Steffan




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Make --cipher/--auth none more explicit on the risks

2017-04-11 Thread David Sommerseth

On 11/04/17 06:26, Simon Matter wrote:
>> The warning provided to --cipher and --auth using the 'none' setting may
>> not have been too clearly understandable to non-developers or people not
>> fully understanding encryption and cryptography.  This tries to improve
>> that.
>>
>> While at it, also break up the long source lines.
>>
>> Signed-off-by: David Sommerseth 
>> ---
>>  src/openvpn/crypto.c | 11 +--
>>  src/openvpn/init.c   |  5 -
>>  2 files changed, 13 insertions(+), 3 deletions(-)
>>
>> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
>> index 909f725..8a5c723 100644
>> --- a/src/openvpn/crypto.c
>> +++ b/src/openvpn/crypto.c
>> @@ -784,7 +784,10 @@ init_key_type(struct key_type *kt, const char
>> *ciphername,
>>  {
>>  if (warn)
>>  {
>> -msg(M_WARN, "*** WARNING ***: null cipher specified,
>> no encryption will be used");
>> +msg(M_WARN, "*** WARNING ***: '--cipher none' was
>> specified. "
>> +"This means NO encryption will be performed and tunnelled
>> "
>> +"data WILL be transmitted in clear text over the network!
>> "
>> +"PLEASE DO RECONIDER THIS SETTING!");
> 
> Hi
> 
> Small typos, you may want to 's/RECONIDER/RECONSIDER/g' the patches.

Meh, yeah, sorry about that.  That need to be fixed, but also something
I can fix on-the-fly at commit time; that's an uncritical last minute
change.  Just need an ACK first ;-)


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1

Re: [Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1

Re: [Openvpn-devel] [PATCH] Add --tls-cert-profile option for mbedtls builds

Re: [Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1

Re: [Openvpn-devel] [PATCH applied] Require minimum OpenSSL 1.0.1

Re: [Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1

[Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1

Re: [Openvpn-devel] [PATCH applied] Make --cipher/--auth none more explicit on the risks

Re: [Openvpn-devel] [PATCH] Make --cipher/--auth none more explicit on the risks

Re: [Openvpn-devel] [PATCH] Make --cipher/--auth none more explicit on the risks

10 matches

Site Navigation

Mail list logo

Footer information