Re: [Openvpn-devel] [PATCH] Add SSL_CTX_get_max_proto_version() not in openssl 1.0

Sat, 20 Jan 2018 02:16:16 -0800 

Hi,

On 20-01-18 10:50, Steffan Karger wrote:
> On 20-01-18 05:47, selva.n...@gmail.com wrote:
>> From: Selva Nair <selva.n...@gmail.com>
>>
>> - No change in functionality. This is used in a subsequent
>>   patch for extending TLS1.2 support with cryptoapicert
>>
>> Signed-off-by: Selva Nair <selva.n...@gmail.com>
>> ---
>>  src/openvpn/openssl_compat.h | 23 +++++++++++++++++++++++
>>  1 file changed, 23 insertions(+)
>>
>> diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
>> index 9f1e92a..c94341a 100644
>> --- a/src/openvpn/openssl_compat.h
>> +++ b/src/openvpn/openssl_compat.h
>> @@ -670,6 +670,29 @@ SSL_CTX_get_min_proto_version(SSL_CTX *ctx)
>>  }
>>  #endif /* SSL_CTX_get_min_proto_version */
>>  
>> +#ifndef SSL_CTX_get_max_proto_version
>> +/** Return the max SSL protocol version currently enabled in the context.
>> + *  If no valid version >= TLS1.0 is found, return 0. */
>> +static inline int
>> +SSL_CTX_get_max_proto_version(SSL_CTX *ctx)
>> +{
>> +    long sslopt = SSL_CTX_get_options(ctx);
>> +    if (!(sslopt & SSL_OP_NO_TLSv1_2))
>> +    {
>> +    return TLS1_2_VERSION;
>> +    }
>> +    if (!(sslopt & SSL_OP_NO_TLSv1_1))
>> +    {
>> +    return TLS1_1_VERSION;
>> +    }
>> +    if (!(sslopt & SSL_OP_NO_TLSv1))
>> +    {
>> +    return TLS1_VERSION;
>> +    }
>> +    return 0;
>> +}
>> +#endif /* SSL_CTX_get_max_proto_version */
>> +
>>  #ifndef SSL_CTX_set_min_proto_version
>>  /** Mimics SSL_CTX_set_min_proto_version for OpenSSL < 1.1 */
>>  static inline int
>>
> 
> Looks good and compiles fine.
> 
> Acked-by: Steffan Karger <stef...@karger.me>

Sorry, one more thing:  the current patch is only okay for master, as
2.4 still supports openssl 0.9.8 and 1.0.0, which do not have the
SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 defines (the TLSx_VERSION ones
*are* available though).  If you want this patch backported to
release/2.4, it needs #ifdefs like get_min_proto_version has.

-Steffan

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to