Bug#871987: [Pkg-openssl-devel] Bug#871987: openvpn

Fri, 25 Aug 2017 12:09:59 -0700 

On Fri, Aug 25, 2017 at 11:07:16PM +0800, Gedalya wrote:
> I tried openssl 1.1.0f-5 and it is indeed better with e.g. s_client.

After the upload I've been wondering if I should change it to
default set the minimum version to 1.0 again.


> However, I've locally built openvpn (and pkcs11-helper) with openssl 1.1.0.
> I'm not sure whether this is a bug with openvpn or an issue with this latest
> patch to openssl, but I've tried both these settings:
> 
> tls-version-min 1.0
> tls-version-max 1.0
> 
> in an openvpn client config, connecting to an old server supporting only
> TLS 1.0, and it doesn't work. It did of course work with with openssl 
> 1.1.0f-3.
> with 1.1.0f-5, I get:

openvpn doesn't seem to make use of the
SSL_CTX_set_min_proto_version() function yet. I've attached a
patch that I didn't even try to compile that I think should do the
right thing.


Kurt


--- src/openvpn/ssl_openssl.c.bak	2017-08-25 20:47:07.613021515 +0200
+++ src/openvpn/ssl_openssl.c	2017-08-25 20:56:45.152987547 +0200
@@ -215,6 +215,19 @@
 #endif
 }
 
+/* convert internal version number to openssl version number */
+static int
+openssl_tls_version(int ver)
+{
+    if (ver == TLS_VER_1_0)
+        return TLS1_VERSION;
+    else if (ver == TLS_VER_1_1)
+        return TLS1_1_VERSION;
+    else if (ver == TLS_VER_1_2)
+        return TLS1_2_VERSION;
+    return 0;
+}
+
 void
 tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
 {
@@ -232,6 +245,14 @@
 
         tls_ver_max =
             (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+        SSL_CTX_set_min_proto_version(ctx->ctx, openssl_tls_version(tls_ver_min));
+        if (tls_ver_max <= TLS_VER_UNSPEC)
+        {
+            SSL_CTX_set_max_proto_version(ctx->ctx, openssl_tls_version(tls_ver_max));
+        }
+#else /* OPENSSL_VERSION_NUMBER >= 0x10100000*/
         if (tls_ver_max <= TLS_VER_UNSPEC)
         {
             tls_ver_max = tls_version_max();
@@ -253,6 +274,7 @@
             sslopt |= SSL_OP_NO_TLSv1_2;
         }
 #endif
+#endif /* OPENSSL_VERSION_NUMBER */
 #ifdef SSL_OP_NO_COMPRESSION
         /* Disable compression - flag not available in OpenSSL 0.9.8 */
         sslopt |= SSL_OP_NO_COMPRESSION;

Reply via email to