Hi,

I'm running rpmlint against packages built based on the Fedora Copr [1] build
I've provided for some time.  I'm planning to move this forward for the standard
Fedora and EPEL repositories.  But rpmlint complains about the usage of
SSL_CTX_set_cipher_list(), which I in this case would call a false-positive
for OpenVPN.

[1] <https://copr.fedorainfracloud.org/coprs/dsommers/openvpn3/>
    <https://gitlab.com/dazo/copr-openvpn3>

The code which trips this warning is:

-------------------------------------------------------------------------------
          if (config->force_aes_cbc_ciphersuites)
            {
              if (!SSL_CTX_set_cipher_list(ctx, 
"DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"))
                OPENVPN_THROW(ssl_context_error, "OpenSSLContext: 
SSL_CTX_set_cipher_list failed for force_aes_cbc_ciphersuites");
            }
          else
            {
              if (!SSL_CTX_set_cipher_list(ctx,
                                           /* default list as a basis */
                                           "DEFAULT"
                                           /* Disable export ciphers, low and 
medium */
                                           ":!EXP:!LOW:!MEDIUM"
                                           /* Disable static (EC)DH keys (no 
forward secrecy) */
                                           ":!kDH:!kECDH"
                                           /* Disable DSA private keys */
                                           ":!DSS"
                                           /* Disable RC4 cipher */
                                           ":!RC4"
                                           /* Disable MD5 */
                                           ":!MD5"
                                           /* Disable unsupported TLS modes */
                                           ":!PSK:!SRP:!kRSA"
                                           /* Disable SSLv2 cipher suites*/
                                           ":!SSLv2"
                                           ))
                  OPENVPN_THROW(ssl_context_error, "OpenSSLContext: 
SSL_CTX_set_cipher_list failed");
#if OPENSSL_VERSION_NUMBER >= 0x10002000L && OPENSSL_VERSION_NUMBER < 
0x10100000L
              SSL_CTX_set_ecdh_auto(ctx, 1); // this method becomes a no-op in 
OpenSSL 1.1
#endif
            }
-------------------------------------------------------------------------------
These calls can be found in openvpn/openssl/ssl/sslctx.hpp
<https://github.com/OpenVPN/openvpn3/blob/b62654274fd938ebb82dbe3a2e78d9b8fd465970/openvpn/openssl/ssl/sslctx.hpp#L1094>

The first SSL_CTX_set_cipher_list() is being slate for removal, as the
"force_aes_cbc_ciphersuits" feature is not considered needed any more;
negotiation works much better nowadays than when this was added
about 5 years ago.  But the cipher-list here shouldn't be of that much
concern.

The second block should really be fine too, it just strictly enforces a fairly
strict default set of ciphers.

So my question is if this will be a show-stopper for getting the openvpn3
package into the standard Fedora + EPEL repositories?


--
kind regards,

David Sommerseth
OpenVPN Inc
_______________________________________________
security mailing list -- security@lists.fedoraproject.org
To unsubscribe send an email to security-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/security@lists.fedoraproject.org

Reply via email to