Source: openvpn
Version: 2.4.3-4
Severity: important
Tags: patch
Hi,
The attached patch add supports for the new way of setting up the
minimum and maximum supported TLS version in OpenSSL.
This is marked as important because if you switch to openssl 1.1.0
the defaults minimum version in Debian is currently TLS 1.2 and
you can't override it with the options that you're currently using
(and are deprecated).
Kurt
--- src/openvpn/ssl_openssl.c.bak 2017-08-26 13:10:40.333428825 +0200
+++ src/openvpn/ssl_openssl.c 2017-08-26 13:12:05.143672978 +0200
@@ -215,6 +215,19 @@
#endif
}
+/* convert internal version number to openssl version number */
+static int
+openssl_tls_version(int ver)
+{
+ if (ver == TLS_VER_1_0)
+ return TLS1_VERSION;
+ else if (ver == TLS_VER_1_1)
+ return TLS1_1_VERSION;
+ else if (ver == TLS_VER_1_2)
+ return TLS1_2_VERSION;
+ return 0;
+}
+
void
tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
{
@@ -232,6 +245,17 @@
tls_ver_max =
(ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+ if (tls_ver_min <= TLS_VER_UNSPEC)
+ {
+ SSL_CTX_set_min_proto_version(ctx->ctx, openssl_tls_version(tls_ver_min));
+ }
+ if (tls_ver_max <= TLS_VER_UNSPEC)
+ {
+ SSL_CTX_set_max_proto_version(ctx->ctx, openssl_tls_version(tls_ver_max));
+ }
+#else /* OPENSSL_VERSION_NUMBER >= 0x10100000*/
if (tls_ver_max <= TLS_VER_UNSPEC)
{
tls_ver_max = tls_version_max();
@@ -253,6 +277,7 @@
sslopt |= SSL_OP_NO_TLSv1_2;
}
#endif
+#endif /* OPENSSL_VERSION_NUMBER */
#ifdef SSL_OP_NO_COMPRESSION
/* Disable compression - flag not available in OpenSSL 0.9.8 */
sslopt |= SSL_OP_NO_COMPRESSION;
