Re: [Openvpn-devel] [PATCH] Add SSL_CTX_get_max_proto_version() not in openssl 1.0

Sat, 20 Jan 2018 05:23:45 -0800 

Hi,

On Sat, Jan 20, 2018 at 5:14 AM, Steffan Karger <stef...@karger.me> wrote:
> Hi,
>
> On 20-01-18 10:50, Steffan Karger wrote:
>> On 20-01-18 05:47, selva.n...@gmail.com wrote:
>>> From: Selva Nair <selva.n...@gmail.com>
>>>
>>> - No change in functionality. This is used in a subsequent
>>>   patch for extending TLS1.2 support with cryptoapicert
>>>
>>> Signed-off-by: Selva Nair <selva.n...@gmail.com>
>>> ---
>>>  src/openvpn/openssl_compat.h | 23 +++++++++++++++++++++++
>>>  1 file changed, 23 insertions(+)
>>>
>>> diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
>>> index 9f1e92a..c94341a 100644
>>> --- a/src/openvpn/openssl_compat.h
>>> +++ b/src/openvpn/openssl_compat.h
>>> @@ -670,6 +670,29 @@ SSL_CTX_get_min_proto_version(SSL_CTX *ctx)
>>>  }
>>>  #endif /* SSL_CTX_get_min_proto_version */
>>>
>>> +#ifndef SSL_CTX_get_max_proto_version
>>> +/** Return the max SSL protocol version currently enabled in the context.
>>> + *  If no valid version >= TLS1.0 is found, return 0. */
>>> +static inline int
>>> +SSL_CTX_get_max_proto_version(SSL_CTX *ctx)
>>> +{
>>> +    long sslopt = SSL_CTX_get_options(ctx);
>>> +    if (!(sslopt & SSL_OP_NO_TLSv1_2))
>>> +    {
>>> +    return TLS1_2_VERSION;
>>> +    }
>>> +    if (!(sslopt & SSL_OP_NO_TLSv1_1))
>>> +    {
>>> +    return TLS1_1_VERSION;
>>> +    }
>>> +    if (!(sslopt & SSL_OP_NO_TLSv1))
>>> +    {
>>> +    return TLS1_VERSION;
>>> +    }
>>> +    return 0;
>>> +}
>>> +#endif /* SSL_CTX_get_max_proto_version */
>>> +
>>>  #ifndef SSL_CTX_set_min_proto_version
>>>  /** Mimics SSL_CTX_set_min_proto_version for OpenSSL < 1.1 */
>>>  static inline int
>>>
>>
>> Looks good and compiles fine.
>>
>> Acked-by: Steffan Karger <stef...@karger.me>
>
> Sorry, one more thing:  the current patch is only okay for master, as
> 2.4 still supports openssl 0.9.8 and 1.0.0, which do not have the
> SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 defines (the TLSx_VERSION ones
> *are* available though).  If you want this patch backported to
> release/2.4, it needs #ifdefs like get_min_proto_version has.

Yeah, I meant it to go into master only (hence no ifdefs). Is it good
to have it in 2.4 too?
If so I will send a back-ported patch.

Selva

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to