In gmane.network.openvpn.devel, Steffan Karger wrote: Hi Steffan,
> As described in <80e6b449-c536-dc87-7215-3693872bc...@birkenwald.de> on > the openvpn-devel mailing list, --tls-version-min no longer works with > OpenSSL 1.1. Kurt Roeckx posted in a debian bug report: > > "This is marked as important because if you switch to openssl 1.1.0 > the defaults minimum version in Debian is currently TLS 1.2 and > you can't override it with the options that you're currently using > (and are deprecated)." > > This patch is loosely based on the original patch by Kurt, but solves the > issue by adding functions to openssl-compat.h, like we also did for all > other openssl 1.1. breakage. This results in not having to add more ifdefs > in ssl_openssl.c and thus cleaner code. I have forwarded your patch to Kurt and asked for feedback. See attached mail. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873302#32 Bernhard
--- Begin Message ---On Wed, Nov 29, 2017 at 03:36:14PM +0100, Bernhard Schmidt wrote: > Hi Kurt, > > Steffan has posted a patch for this that is losely based on yours. It is > not merged yet, comments welcome. > > https://sourceforge.net/p/openvpn/mailman/openvpn-devel/thread/20171126141555.25930-1-steffan%40karger.me/#msg36136873 I have some comments: - It has: +/* TLS Version defines are new in OpenSSL 1.1 */ +#ifndef TLS1_0_VERSION +#define TLS1_0_VERSION 0x0301 +#endif +#ifndef TLS1_1_VERSION +#define TLS1_1_VERSION 0x0302 +#endif +#ifndef TLS1_2_VERSION +#define TLS1_2_VERSION 0x0303 +#endif It's TLS1_VERSION (not TLS1_0_VERSION) The defines all exist in at least 1.0.1, the version that added support for TLS 1.1 and 1.2 - It calls SSL_CTX_set_min_proto_version() unconditionally, overriding the library default. In the 1.0.2 case SSLv2 and SSLv3 are then disabled, in the 1.1 case it could enable SSLv3. - openssl_tls_version() should probably add SSL3_VERSION support. Kurt
--- End Message ---
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
