Am 16.09.20 um 11:45 schrieb Juliusz Sosinowicz: > Hi Arne, > > a quick update. A PR is now open in wolfSSL with fixes for OpenVPN master.
This is the version that I could actually take a deeper look at, so here
are my results. It generally works but there seems some loose ends:
I am still seeing this warning:
2020-09-16 23:20:14 WARNING: 'auth' is used inconsistently, local='auth
SHA', remote='auth SHA1'
Are you internally calling SHA1 just SHA and are also returned that as
name when querying for the name? And do the other SHA variant also just
return SHA?
This snippet in the configure.ac looks strange:
if test -n "${WOLFSSL_DIR}"; then
wolfssldir="${WOLFSSL_DIR}"
else
wolfssldir="/usr/local/include/wolfssl"
fi
I am not sure hardcoding a /usr/local path is something we want/allow.
The people better at autoconf might have a better idea on this.
have_crypto_aead_modes="yes"
have_crypto="yes"
While the have_crypto_aead removal is a rather new removal, the
have_crypto removal happened over 4 years ago (31b0bebe). I think the
configure.ac should be cleaned up a bit more.
--tls-version-max 1.2 option is ignored.
--tls-version-min 1.3 against a (OpenSSL) server with --tls-version-max
1.2 results in:
2020-09-16 23:45:26 OpenSSL: Please supply a buffer for error string
2020-09-16 23:45:26 OpenSSL: Please supply a buffer for error string
(A quick fix with just trying to do a malloc of a buffer that leaks
memory transformed this in the also useless message OpenSSL: unknown
error number)
openvpn --show-tls does not work at all
Setting tls-ciphersuites results in (on the server side for the TLS 1.2
max server):
2020-09-16 23:54:22 us=503265 79.229.32.216:57019 TLS error: The server
has no TLS ciphersuites in common with the client. Your --tls-cipher
setting might be too restrictive.
I can also set TLS 1.3 cipher to tls-cipher. The design of TLS 1.3
ciphersuites and 1.0-1.2 cipher suites using different command is an
artificat of OpenSSL's behaviour but basically setting using
tls-cipher/tls-ciphersuites in the way the were intended seems to break
wolfSSL.
Loading the ed448 cert I have resulted in:
2020-09-16 23:58:28 OpenSSL: Please supply a buffer for error string
again.
--tls-groups meinekurve does not give me an error. So this option is
probably also ignored.
I am not expecting you test all the zillion options that OpenVPN has but
at least testing the TLS related option would be good. And what I am
currently seeing is not really a good coverage/buggy.
Even if some of the option might be a good option for support in
WolfSSL, we need to document this and/or your API needs to throw
reaonable errors.
Same notes since I ran WolfSSL also on my own development that includes
a few patches already sent to the mailing list but not merged:
This definition in WolfSSL:
wolfssl/openssl/ssl.h:#define SSL_export_keying_material(...) 0
This just breaks TLS EKM as WolfSSL pretensd to be able to do keying
material export but then cannot really do it. The patches to use TLS EKM
are currently not in master but will be definitively added until 2.6.
The macro have_export_keying_material="yes" currently also missing in
the wolfssl configure.ac section but if enabling it, it just breaks:
=2020-09-16 23:31:17 TLS Error: Keying material export failed
202=0-09-16 23:31:17 TLS Error: generate_key_expansion failed
The "allow to work in FIPS mode" patch also breaks for the OpenSSL 1.0.2
code path:
EVP_MD_CTX_set_flags(&ctx_init, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
error: use of undeclared identifier 'EVP_MD_CTX_FLAG_NON_FIPS_ALLOW'
warning: implicit declaration of function 'EVP_MD_CTX_set_flags' is
invalid in C99
I am surprised you are targeting OpenSSL < 1.1.0 API. We will probably
drop OpenSSL 1.0.2 support from our code base as soon as we drop RHEL7
support. The 1.1.0+ code path in that patch uses the
EVP_PKEY_derive_*/EVP_PKEY_CTX_set_tls1_prf functions and those will be
needed then.
Arne
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
