Hi Bernard, Kurt, On 30-11-17 09:53, Bernhard Schmidt wrote: >> As described in <80e6b449-c536-dc87-7215-3693872bc...@birkenwald.de> on >> the openvpn-devel mailing list, --tls-version-min no longer works with >> OpenSSL 1.1. Kurt Roeckx posted in a debian bug report: >> >> "This is marked as important because if you switch to openssl 1.1.0 >> the defaults minimum version in Debian is currently TLS 1.2 and >> you can't override it with the options that you're currently using >> (and are deprecated)." >> >> This patch is loosely based on the original patch by Kurt, but solves the >> issue by adding functions to openssl-compat.h, like we also did for all >> other openssl 1.1. breakage. This results in not having to add more ifdefs >> in ssl_openssl.c and thus cleaner code. > > I have forwarded your patch to Kurt and asked for feedback. See attached > mail. > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873302#32
Thanks! On 29-11-17 20:14, Kurt Roeckx wrote: > I have some comments: Also thanks! > - It has: > +/* TLS Version defines are new in OpenSSL 1.1 */ > +#ifndef TLS1_0_VERSION > +#define TLS1_0_VERSION 0x0301 > +#endif > +#ifndef TLS1_1_VERSION > +#define TLS1_1_VERSION 0x0302 > +#endif > +#ifndef TLS1_2_VERSION > +#define TLS1_2_VERSION 0x0303 > +#endif > > It's TLS1_VERSION (not TLS1_0_VERSION) Oops, will fix. > The defines all exist in at least 1.0.1, the version that added > support for TLS 1.1 and 1.2 Good, then we won't need this in master. (But we do in release/2.4 because there we still support 0.9.8 as suse still maintains it.) > - It calls SSL_CTX_set_min_proto_version() unconditionally, > overriding the library default. In the 1.0.2 case SSLv2 and > SSLv3 are then disabled, in the 1.1 case it could enable SSLv3. This is something I pondered about, and once again now you mention it. OpenVPN < 2.3.4 (and OpenSSL < 1.0.1), which are still widely used by our user base, do not support TLS 1.1+. Combined with the fact that many HTTPS-style TLS attacks do not work for OpenVPN (the record layer data is not attacker controlled like in browser), I opted to just fix the minimum at 1.0 and keep the code slightly simpler. But I think it's okay to confront users with old cruft, and follow the system defaults. Since users can re-enable TLS 1.0 if they really want, I think that should be okay. The v2 of this patch will obey the system defaults. > - openssl_tls_version() should probably add SSL3_VERSION support. Nope - OpenVPN never supported SSLv3 and never will. -Steffan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
