Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds
On 05-03-18 00:26, Steffan Karger wrote: > Yes, I'd rather not use the workaround if not needed. Bad wording. Read that as "I'm no longer opposed to a patch". -Steffan -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds
Hi, On 04-03-18 19:59, Jeremie Courreges-Anglas wrote: > On Thu, Dec 14 2017, Steffan Karger wrote: > > [...] > >> NAK. >> >> Looking at this patch again I realize I have misunderstood the >> intentions when first looking at it. I thought LibreSSL *did* have an >> SSL_CTX_get0_certificate() and this patch would make us use it (instead >> of the workaround in the #else). But this is just about replacing the >> version check with a configure check. > > Are you still opposed to such a diff (updated version attached), now > that LibreSSL HEAD provides SSL_CTX_get0_certificate? Yes, I'd rather not use the workaround if not needed. Still not very happy about the approach though. Why not simply add || LIBRESSL_VERSION > x.y.z ? >> I oppose that change because it >> hides information I want to have: "what code can be purged when we drop >> support for openssl 1.0 and libressl?". > > Maybe there's another way to encode that information? Like, > consistently formatted comments describing the first OpenSSL (and > LibreSSL) releases that provided a function? Yes, we could do that. But if we're going to put that info into the code anyway, why not just use the define? -Steffan -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds
On Thu, Dec 14 2017, Steffan Karger wrote: [...] > NAK. > > Looking at this patch again I realize I have misunderstood the > intentions when first looking at it. I thought LibreSSL *did* have an > SSL_CTX_get0_certificate() and this patch would make us use it (instead > of the workaround in the #else). But this is just about replacing the > version check with a configure check. Are you still opposed to such a diff (updated version attached), now that LibreSSL HEAD provides SSL_CTX_get0_certificate? > I oppose that change because it > hides information I want to have: "what code can be purged when we drop > support for openssl 1.0 and libressl?". Maybe there's another way to encode that information? Like, consistently formatted comments describing the first OpenSSL (and LibreSSL) releases that provided a function? -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE From e6d80207bf7f1323670d0bc1102fa51309b1aa14 Mon Sep 17 00:00:00 2001 From: Jeremie Courreges-Anglas Date: Sun, 4 Mar 2018 19:24:36 +0100 Subject: [PATCH] Detect availability of SSL_CTX_get0_certificate instead of relying on simpler version checks. This allows using SSL_CTX_get0_certificate with LibreSSL. --- configure.ac | 1 + src/openvpn/ssl_openssl.c | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 626b4dd4..e4525b09 100644 --- a/configure.ac +++ b/configure.ac @@ -918,6 +918,7 @@ if test "${with_crypto_library}" = "openssl"; then EVP_MD_CTX_new \ EVP_MD_CTX_free \ EVP_MD_CTX_reset \ + SSL_CTX_get0_certificate \ SSL_CTX_get_default_passwd_cb \ SSL_CTX_get_default_passwd_cb_userdata \ SSL_CTX_set_security_level \ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 8ef68ebd..19580312 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -459,8 +459,8 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) ASSERT(ctx); -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) -/* OpenSSL 1.0.2 and up */ +#ifdef HAVE_SSL_CTX_GET0_CERTIFICATE +/* OpenSSL 1.0.2 and up, LibreSSL 2.7.0 and up */ cert = SSL_CTX_get0_certificate(ctx->ctx); #else /* OpenSSL 1.0.1 and earlier need an SSL object to get at the certificate */ @@ -494,7 +494,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) } cleanup: -#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) +#ifndef HAVE_SSL_CTX_GET0_CERTIFICATE SSL_free(ssl); #endif return; -- 2.16.0 signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds
Hi, On 19-11-17 23:18, Jeremie Courreges-Anglas wrote: > Here's another diff to detect SSL_CTX_get0_certificate(). > > Tested against LibreSSL only; adding > > #define HAVE_SSL_CTX_GET0_CERTIFICATE 1 > > to config.h lets ssl_openssl.c build (with a warning), the link fails as > expected. > > From 1abd6089a45260e4ce7adfae3fa619f9055edcaf Mon Sep 17 00:00:00 2001 > From: Jeremie Courreges-Anglas > Date: Sun, 19 Nov 2017 23:12:30 +0100 > Subject: [PATCH] Detect if SSL_CTX_get0_certificate is available > > Don't rely on #ifdef OPENSSL/LIBRESSL_VERSION_NUMBER checks. > > Signed-off-by: Jeremie Courreges-Anglas > --- > configure.ac | 1 + > src/openvpn/ssl_openssl.c | 4 ++-- > 2 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/configure.ac b/configure.ac > index acfddb22..ac6e7a76 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -925,6 +925,7 @@ if test "${enable_crypto}" = "yes" -a > "${with_crypto_library}" = "openssl"; then > EVP_MD_CTX_new \ > EVP_MD_CTX_free \ > EVP_MD_CTX_reset \ > + SSL_CTX_get0_certificate \ > SSL_CTX_get_default_passwd_cb \ > SSL_CTX_get_default_passwd_cb_userdata \ > SSL_CTX_set_security_level \ > diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c > index b782946e..3df70166 100644 > --- a/src/openvpn/ssl_openssl.c > +++ b/src/openvpn/ssl_openssl.c > @@ -425,7 +425,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) > > ASSERT(ctx); > > -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && > !defined(LIBRESSL_VERSION_NUMBER) > +#ifdef HAVE_SSL_CTX_GET0_CERTIFICATE > /* OpenSSL 1.0.2 and up */ > cert = SSL_CTX_get0_certificate(ctx->ctx); > #else > @@ -460,7 +460,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) > } > > cleanup: > -#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) > +#ifndef HAVE_SSL_CTX_GET0_CERTIFICATE > SSL_free(ssl); > #endif > return; > -- > 2.15.0 NAK. Looking at this patch again I realize I have misunderstood the intentions when first looking at it. I thought LibreSSL *did* have an SSL_CTX_get0_certificate() and this patch would make us use it (instead of the workaround in the #else). But this is just about replacing the version check with a configure check. I oppose that change because it hides information I want to have: "what code can be purged when we drop support for openssl 1.0 and libressl?". -Steffan -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds
Hi, On 19-11-17 23:01, Jeremie Courreges-Anglas wrote: > Here's a diff, master builds and seems to run fine as a client on > OpenBSD-current. > > > From: Jeremie Courreges-Anglas > Date: Sun, 19 Nov 2017 22:57:56 +0100 > Subject: [PATCH] Fix build with LibreSSL > > Detect the presence of SSL_CTX_set_security_level(), don't check > OPENSSL_VERSION_NUMBER. > > Signed-off-by: Jeremie Courreges-Anglas > --- > configure.ac | 1 + > src/openvpn/ssl_openssl.c | 2 +- > 2 files changed, 2 insertions(+), 1 deletion(-) > > diff --git a/configure.ac b/configure.ac > index 7f2e34f2..acfddb22 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -927,6 +927,7 @@ if test "${enable_crypto}" = "yes" -a > "${with_crypto_library}" = "openssl"; then > EVP_MD_CTX_reset \ > SSL_CTX_get_default_passwd_cb \ > SSL_CTX_get_default_passwd_cb_userdata \ > + SSL_CTX_set_security_level \ > X509_get0_pubkey \ > X509_STORE_get0_objects \ > X509_OBJECT_free \ > diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c > index de89cb13..b782946e 100644 > --- a/src/openvpn/ssl_openssl.c > +++ b/src/openvpn/ssl_openssl.c > @@ -386,7 +386,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const > char *ciphers) > void > tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) > { > -#if (OPENSSL_VERSION_NUMBER >= 0x1010) > +#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL > /* OpenSSL does not have certificate profiles, but a complex set of > * callbacks that we could try to implement to achieve something similar. > * For now, use OpenSSL's security levels to achieve similar (but not > equal) > -- > 2.15.0 Patch looks good and clean enough to restore compatibilty with libressl. Tested that this doesn't break --tls-cert-profile with OpenSSL 1.1, and doesn't break builds with OpenSSL 1.0. Acked-by: Steffan Karger Tested-by: Steffan Karger -Steffan -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds
Hi, On 20-11-17 09:06, Gert Doering wrote:> On Sun, Nov 19, 2017 at 11:01:39PM +0100, Jeremie Courreges-Anglas > wrote: >>> (Not sure, though, why it only complains about two out of >>> three, but still annoyance... if LibreSSL claims >>> OPENSSL_VERSION_NUMBER >= 0x1010 it better should provide >>> everything needed) >> >> LibreSSL defines: >> >> #define OPENSSL_VERSION_NUMBER0x2000L >> >> breaking #ifdef checks based on it. > > Indeed. I find this a curious and not useful setting - "if it's > not compatible with OPENSSL, why define such a version number"? > But that's slightly out of scope here... +1, highly frustrating. LibreSSL should really just make up their mind whether they want to be OpenSSL-compatible or not, and act accordingly. >> Sadly, people tend to prefer adding >> >> && !defined(LIBRESSL_VERSION_NUMBER) >> >> to fix the build, rather than doing features detection using >> autoconf or similar. openvpn can easily solve this. > > ... and I'm thankful for your patch, because this is exactly what I > considered doing here. We already check for all the 1.0/1.1 > openssl differences (accessor functions), so adding this one is > logical. *If* we want to keep LibreSSL working, I agree this is the way to go. But I'm kind of annoyed that we are including more and more #ifdefs to keep LibreSSL happy. The version checks are much simpler and make it easy to see what code can be purged when we drop support for e.g openssl 1.0.1. I don't want to keep these 'backwards compatibility' ifdefs forever. At some point we'll have to decide to either completely stop supporting LibreSSL, or add it as a true abstraction (which I will *not* maintain). We're getting closer and closer to that point. >>> This is on OpenBSD 6.0, which happens to be something Samuli's >>> vagrant setup can provide nicely if anyone wants to have a look >>> :-) >> >> Here's a diff, master builds and seems to run fine as a client >> on OpenBSD-current. > > Thanks. Patch looks good to me, but I leave the final word to > Steffan (maybe he wants to amend the non-support message to include > LibreSSL, or whatever) They look good at first sight, but I'll check these properly later this week - when I have some spare cycles available. >> I can cook a similar diff for the remaining OPENSSL / >> LIBRESSL_VERSION_NUMBER #ifdef. > > This would be appreciated. Same reservations as above. To reiterate: our policy towards LibreSSL is currently that we do *not* support it, but we won't break it on purpose and accept trivial patches to keep it working. Where 'trivial' is - of course - fuzzy. -Steffan -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds
Hi, On Sun, Nov 19, 2017 at 11:01:39PM +0100, Jeremie Courreges-Anglas wrote: > > (Not sure, though, why it only complains about two out of three, but > > still annoyance... if LibreSSL claims OPENSSL_VERSION_NUMBER >= 0x1010 > > it better should provide everything needed) > > LibreSSL defines: > > #define OPENSSL_VERSION_NUMBER0x2000L > > breaking #ifdef checks based on it. Indeed. I find this a curious and not useful setting - "if it's not compatible with OPENSSL, why define such a version number"? But that's slightly out of scope here... > Sadly, people tend to prefer adding > > && !defined(LIBRESSL_VERSION_NUMBER) > > to fix the build, rather than doing features detection using autoconf or > similar. openvpn can easily solve this. ... and I'm thankful for your patch, because this is exactly what I considered doing here. We already check for all the 1.0/1.1 openssl differences (accessor functions), so adding this one is logical. > > This is on OpenBSD 6.0, which happens to be something Samuli's vagrant > > setup can provide nicely if anyone wants to have a look :-) > > Here's a diff, master builds and seems to run fine as a client on > OpenBSD-current. Thanks. Patch looks good to me, but I leave the final word to Steffan (maybe he wants to amend the non-support message to include LibreSSL, or whatever) > I can cook a similar diff for the remaining OPENSSL / > LIBRESSL_VERSION_NUMBER #ifdef. This would be appreciated. gert -- now what should I write here... Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds
On Sun, Nov 19 2017, Jeremie Courreges-Anglas wrote: > On Sun, Nov 19 2017, Gert Doering wrote: >> Hi, >> >> On Sun, Nov 19, 2017 at 09:37:56PM +0100, Gert Doering wrote: >>> .. of course this conflicts with o->renegotiate_seconds_min... >>> >>> Nevertheless, thanks for the patch :-) - it makes my FreeBSD 10.3 >>> (mbedTLS 2.6) buildslave now happy again (on the default settings - with >>> --tls-cert-profile preferred, it refuses the old-hash cert, as it should). >>> >>> Also tested with openssl 1.0.1, where it warns and does nothing, as >>> expected. Good :-) >> >> I *should* have tested with LibreSSL as well... >> >> ssl_openssl.o: In function `tls_ctx_set_cert_profile': >> /home/buildbot/build-openvpn/build-cron2-openbsd-60-amd64-stable-master--disable >> -lzo--disable-management/build/src/openvpn/ssl_openssl.c:404: >> undefined reference to `SSL_CTX_set_security_level' >> /home/buildbot/build-openvpn/build-cron2-openbsd-60-amd64-stable-master--disable-lzo--disable-management/build/src/openvpn/ssl_openssl.c:400: >> undefined reference to `SSL_CTX_set_security_level' >> >> ... *roll eyes* >> >> (Not sure, though, why it only complains about two out of three, but >> still annoyance... if LibreSSL claims OPENSSL_VERSION_NUMBER >= 0x1010 >> it better should provide everything needed) > > LibreSSL defines: > > #define OPENSSL_VERSION_NUMBER0x2000L > > breaking #ifdef checks based on it. Sadly, people tend to prefer adding > > && !defined(LIBRESSL_VERSION_NUMBER) > > to fix the build, rather than doing features detection using autoconf or > similar. openvpn can easily solve this. > >> This is on OpenBSD 6.0, which happens to be something Samuli's vagrant >> setup can provide nicely if anyone wants to have a look :-) > > Here's a diff, master builds and seems to run fine as a client on > OpenBSD-current. > > I can cook a similar diff for the remaining OPENSSL / > LIBRESSL_VERSION_NUMBER #ifdef. Here's another diff to detect SSL_CTX_get0_certificate(). Tested against LibreSSL only; adding #define HAVE_SSL_CTX_GET0_CERTIFICATE 1 to config.h lets ssl_openssl.c build (with a warning), the link fails as expected. From 1abd6089a45260e4ce7adfae3fa619f9055edcaf Mon Sep 17 00:00:00 2001 From: Jeremie Courreges-Anglas Date: Sun, 19 Nov 2017 23:12:30 +0100 Subject: [PATCH] Detect if SSL_CTX_get0_certificate is available Don't rely on #ifdef OPENSSL/LIBRESSL_VERSION_NUMBER checks. Signed-off-by: Jeremie Courreges-Anglas --- configure.ac | 1 + src/openvpn/ssl_openssl.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index acfddb22..ac6e7a76 100644 --- a/configure.ac +++ b/configure.ac @@ -925,6 +925,7 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then EVP_MD_CTX_new \ EVP_MD_CTX_free \ EVP_MD_CTX_reset \ + SSL_CTX_get0_certificate \ SSL_CTX_get_default_passwd_cb \ SSL_CTX_get_default_passwd_cb_userdata \ SSL_CTX_set_security_level \ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index b782946e..3df70166 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -425,7 +425,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) ASSERT(ctx); -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) +#ifdef HAVE_SSL_CTX_GET0_CERTIFICATE /* OpenSSL 1.0.2 and up */ cert = SSL_CTX_get0_certificate(ctx->ctx); #else @@ -460,7 +460,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) } cleanup: -#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) +#ifndef HAVE_SSL_CTX_GET0_CERTIFICATE SSL_free(ssl); #endif return; -- 2.15.0 -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds
On Sun, Nov 19 2017, Gert Doering wrote: > Hi, > > On Sun, Nov 19, 2017 at 09:37:56PM +0100, Gert Doering wrote: >> .. of course this conflicts with o->renegotiate_seconds_min... >> >> Nevertheless, thanks for the patch :-) - it makes my FreeBSD 10.3 >> (mbedTLS 2.6) buildslave now happy again (on the default settings - with >> --tls-cert-profile preferred, it refuses the old-hash cert, as it should). >> >> Also tested with openssl 1.0.1, where it warns and does nothing, as >> expected. Good :-) > > I *should* have tested with LibreSSL as well... > > ssl_openssl.o: In function `tls_ctx_set_cert_profile': > /home/buildbot/build-openvpn/build-cron2-openbsd-60-amd64-stable-master--disable > -lzo--disable-management/build/src/openvpn/ssl_openssl.c:404: > undefined reference to `SSL_CTX_set_security_level' > /home/buildbot/build-openvpn/build-cron2-openbsd-60-amd64-stable-master--disable-lzo--disable-management/build/src/openvpn/ssl_openssl.c:400: > undefined reference to `SSL_CTX_set_security_level' > > ... *roll eyes* > > (Not sure, though, why it only complains about two out of three, but > still annoyance... if LibreSSL claims OPENSSL_VERSION_NUMBER >= 0x1010 > it better should provide everything needed) LibreSSL defines: #define OPENSSL_VERSION_NUMBER0x2000L breaking #ifdef checks based on it. Sadly, people tend to prefer adding && !defined(LIBRESSL_VERSION_NUMBER) to fix the build, rather than doing features detection using autoconf or similar. openvpn can easily solve this. > This is on OpenBSD 6.0, which happens to be something Samuli's vagrant > setup can provide nicely if anyone wants to have a look :-) Here's a diff, master builds and seems to run fine as a client on OpenBSD-current. I can cook a similar diff for the remaining OPENSSL / LIBRESSL_VERSION_NUMBER #ifdef. From 15315d3c3b25814a426bfc8184c4dfd262f28768 Mon Sep 17 00:00:00 2001 From: Jeremie Courreges-Anglas Date: Sun, 19 Nov 2017 22:57:56 +0100 Subject: [PATCH] Fix build with LibreSSL Detect the presence of SSL_CTX_set_security_level(), don't check OPENSSL_VERSION_NUMBER. Signed-off-by: Jeremie Courreges-Anglas --- configure.ac | 1 + src/openvpn/ssl_openssl.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 7f2e34f2..acfddb22 100644 --- a/configure.ac +++ b/configure.ac @@ -927,6 +927,7 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then EVP_MD_CTX_reset \ SSL_CTX_get_default_passwd_cb \ SSL_CTX_get_default_passwd_cb_userdata \ + SSL_CTX_set_security_level \ X509_get0_pubkey \ X509_STORE_get0_objects \ X509_OBJECT_free \ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index de89cb13..b782946e 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -386,7 +386,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { -#if (OPENSSL_VERSION_NUMBER >= 0x1010) +#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL /* OpenSSL does not have certificate profiles, but a complex set of * callbacks that we could try to implement to achieve something similar. * For now, use OpenSSL's security levels to achieve similar (but not equal) -- 2.15.0 -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds
Hi, On Sun, Nov 19, 2017 at 09:37:56PM +0100, Gert Doering wrote: > .. of course this conflicts with o->renegotiate_seconds_min... > > Nevertheless, thanks for the patch :-) - it makes my FreeBSD 10.3 > (mbedTLS 2.6) buildslave now happy again (on the default settings - with > --tls-cert-profile preferred, it refuses the old-hash cert, as it should). > > Also tested with openssl 1.0.1, where it warns and does nothing, as > expected. Good :-) I *should* have tested with LibreSSL as well... ssl_openssl.o: In function `tls_ctx_set_cert_profile': /home/buildbot/build-openvpn/build-cron2-openbsd-60-amd64-stable-master--disable -lzo--disable-management/build/src/openvpn/ssl_openssl.c:404: undefined reference to `SSL_CTX_set_security_level' /home/buildbot/build-openvpn/build-cron2-openbsd-60-amd64-stable-master--disable-lzo--disable-management/build/src/openvpn/ssl_openssl.c:400: undefined reference to `SSL_CTX_set_security_level' ... *roll eyes* (Not sure, though, why it only complains about two out of three, but still annoyance... if LibreSSL claims OPENSSL_VERSION_NUMBER >= 0x1010 it better should provide everything needed) This is on OpenBSD 6.0, which happens to be something Samuli's vagrant setup can provide nicely if anyone wants to have a look :-) gert -- now what should I write here... Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel