On 12/04/17 06:58, Simon Matter wrote:
>> Hi,
>>
>> On 11-04-17 19:31, David Sommerseth wrote:
>>> As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8.
>>> This also makes it possible to remove a few workaronds which was
>>> needed earlier, as well as some left overs from v0.9.6.
>>>
>>> This also makes ./configure really stop running unless a new enough
>>> OpenSSL library is found.
>>>
>>> Compile tested on RHEL7.3 and RHEL6.7 (mock chroot build), both shipping
>>> openssl-1.0.1e.
>>>
>>> Signed-off-by: David Sommerseth <dav...@openvpn.net>
>>> ---
>>> configure.ac | 6
>>> +++---
>>> doc/openvpn.8 | 1 -
>>> .../keying-material-exporter-demo/keyingmaterialexporter.c | 3 +--
>>> sample/sample-plugins/log/log_v3.c | 3 +--
>>> src/openvpn/ssl_openssl.c | 3 ---
>>> src/openvpn/ssl_openssl.h | 11
>>> -----------
>>> src/openvpn/ssl_verify_openssl.c | 6
>>> ++----
>>> 7 files changed, 7 insertions(+), 26 deletions(-)
>>>
>>> diff --git a/configure.ac b/configure.ac
>>> index 2406ad8..acea060 100644
>>> --- a/configure.ac
>>> +++ b/configure.ac
>>> @@ -859,9 +859,9 @@ if test "${enable_crypto}" = "yes" -a
>>> "${with_crypto_library}" = "openssl"; then
>>> # if the user did not explicitly specify flags, try to
>>> autodetect
>>> PKG_CHECK_MODULES(
>>> [OPENSSL],
>>> - [libcrypto >= 0.9.8, libssl >= 0.9.8],
>>> - [have_openssl="yes"],
>>> - [have_openssl="no"] # Provide if-not-found to prevent
>>> erroring out
>>> + [libcrypto >= 1.0.1, libssl >= 1.0.1],
>>> + [have_openssl="yes"],
>>> + [AC_MSG_ERROR([Minimum supported OpenSSL version is
>>> 1.0.1])]
>>> )
>>>
>>> OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto}
>>> diff --git a/doc/openvpn.8 b/doc/openvpn.8
>>> index a9f5db7..c3248fd 100644
>>> --- a/doc/openvpn.8
>>> +++ b/doc/openvpn.8
>>> @@ -2773,7 +2773,6 @@ OPENVPN_PLUGIN_TLS_FINAL callback.
>>> Note that exporter labels have the potential to collide with existing
>>> PRF
>>> labels. In order to prevent this, labels MUST begin with "EXPORTER".
>>>
>>> -This option requires OpenSSL 1.0.1 or newer.
>>> .\"*********************************************************
>>> .SS Server Mode
>>> Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode
>>> diff --git
>>> a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
>>> b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
>>> index 177977d..a72b374 100644
>>> ---
>>> a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
>>> +++
>>> b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
>>> @@ -143,8 +143,7 @@ session_user_set(struct session *sess, X509 *x509)
>>> {
>>> continue;
>>> }
>>> - /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this
>>> workaround */
>>> - unsigned char *buf = (unsigned char *)1;
>>> + unsigned char *buf = NULL;
>>> if (ASN1_STRING_to_UTF8(&buf, val) <= 0)
>>> {
>>> continue;
>>> diff --git a/sample/sample-plugins/log/log_v3.c
>>> b/sample/sample-plugins/log/log_v3.c
>>> index 9037225..d3014f3 100644
>>> --- a/sample/sample-plugins/log/log_v3.c
>>> +++ b/sample/sample-plugins/log/log_v3.c
>>> @@ -197,7 +197,7 @@ x509_print_info(X509 *x509crt)
>>> X509_NAME *x509_name;
>>> X509_NAME_ENTRY *ent;
>>> const char *objbuf;
>>> - unsigned char *buf;
>>> + unsigned char *buf = NULL;
>>>
>>> x509_name = X509_get_subject_name(x509crt);
>>> n = X509_NAME_entry_count(x509_name);
>>> @@ -228,7 +228,6 @@ x509_print_info(X509 *x509crt)
>>> {
>>> continue;
>>> }
>>> - buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b
>>> ASN1_STRING_to_UTF8 requires this workaround */
>>> if (ASN1_STRING_to_UTF8(&buf, val) <= 0)
>>> {
>>> continue;
>>> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
>>> index d7cc2ba..645ccf5 100644
>>> --- a/src/openvpn/ssl_openssl.c
>>> +++ b/src/openvpn/ssl_openssl.c
>>> @@ -254,10 +254,7 @@ tls_ctx_set_options(struct tls_root_ctx *ctx,
>>> unsigned int ssl_flags)
>>> sslopt |= SSL_OP_NO_TLSv1_2;
>>> }
>>> #endif
>>> -#ifdef SSL_OP_NO_COMPRESSION
>>> - /* Disable compression - flag not available in OpenSSL 0.9.8 */
>>> sslopt |= SSL_OP_NO_COMPRESSION;
>>> -#endif
>>> SSL_CTX_set_options(ctx->ctx, sslopt);
>>> }
>>>
>>> diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h
>>> index 6ca4cb6..60a1f5e 100644
>>> --- a/src/openvpn/ssl_openssl.h
>>> +++ b/src/openvpn/ssl_openssl.h
>>> @@ -33,17 +33,6 @@
>>> #include <openssl/ssl.h>
>>>
>>> /**
>>> - * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session
>>> resumption",
>>> - * as this is something we do not want nor need, but could potentially
>>> be
>>> - * used for a future attack. For compatibility reasons we keep
>>> building if the
>>> - * OpenSSL version is too old (pre-0.9.8f) to support stateless session
>>> - * resumption (and the accompanying SSL_OP_NO_TICKET flag).
>>> - */
>>> -#ifndef SSL_OP_NO_TICKET
>>> -#define SSL_OP_NO_TICKET 0
>>> -#endif
>>> -
>>> -/**
>>> * Structure that wraps the TLS context. Contents differ depending on
>>> the
>>> * SSL library used.
>>> */
>>> diff --git a/src/openvpn/ssl_verify_openssl.c
>>> b/src/openvpn/ssl_verify_openssl.c
>>> index 5624daa..54eadbd 100644
>>> --- a/src/openvpn/ssl_verify_openssl.c
>>> +++ b/src/openvpn/ssl_verify_openssl.c
>>> @@ -458,8 +458,7 @@ x509_setenv_track(const struct x509_track *xt,
>>> struct env_set *es, const int dep
>>> if (ent)
>>> {
>>> ASN1_STRING *val =
>>> X509_NAME_ENTRY_get_data(ent);
>>> - unsigned char *buf;
>>> - buf = (unsigned char *)1; /* bug in OpenSSL
>>> 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
>>> + unsigned char *buf = NULL;
>>> if (ASN1_STRING_to_UTF8(&buf, val) > 0)
>>> {
>>> do_setenv_x509(es, xt->name, (char
>>> *)buf, depth);
>>> @@ -514,7 +513,7 @@ x509_setenv(struct env_set *es, int cert_depth,
>>> openvpn_x509_cert_t *peer_cert)
>>> ASN1_STRING *val;
>>> X509_NAME_ENTRY *ent;
>>> const char *objbuf;
>>> - unsigned char *buf;
>>> + unsigned char *buf = NULL;
>>> char *name_expand;
>>> size_t name_expand_size;
>>> X509_NAME *x509 = X509_get_subject_name(peer_cert);
>>> @@ -547,7 +546,6 @@ x509_setenv(struct env_set *es, int cert_depth,
>>> openvpn_x509_cert_t *peer_cert)
>>> {
>>> continue;
>>> }
>>> - buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b
>>> ASN1_STRING_to_UTF8 requires this workaround */
>>> if (ASN1_STRING_to_UTF8(&buf, val) <= 0)
>>> {
>>> continue;
>>>
>>
>> For master: ACK.
>>
>> For release/2.4: I wonder whether we need to keep 0.9.8 support, as
>> SLES11 still ships with 0.9.8h, and has general support until 31 Mar 2019.
>
> To make the picture complete, there is also the "extended" support for EL5
> for paying customers. For both RedHat EL5 and Oracle's EL5 clone extended
> support ends somewhere in 2020.That is correct. But we decided that is for really special installs. Those users also pay an incredible high premium to Red Hat (and I wouldn't expect Oracle to be different) to get access to the ELS (Extended Life-cycle Support). IIRC, it is also something not all customers are eligible to buy. I don't even think you can buy ELS from their web-shop, you have to go through a sales contact. <https://access.redhat.com/support/policy/updates/errata/#Extended_Life_Cycle_Phase> The ELS is also only supported on a very restricted set of packages: <https://access.redhat.com/articles/2901071> So considering that this isn't something being too common, we decided a long time ago it isn't worth the hassle for us. We anyway do support OpenVPN v2.3 for a while more, which will work on EL5. So if someone really wants to stay on EL5 longer, they need to accept that they won't get the newest OpenVPN versions. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
