On Sun, Jul 30, 2017 at 06:00:48PM +0200, Baptiste Jonglez wrote: > On Sun, Jul 30, 2017 at 05:57:37PM +0200, Baptiste Jonglez wrote: > > Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates. > > This breaks openvpn clients that try to connect to servers that > > present a TLS certificate signed with SHA1, which is fairly common. > > > > Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx. > > > > Fixes: FS#942 > > This can be cherry-picked cleanly on the lede-17.01 branch. I think it > should be done, because the update to 2.5.1 broke a working use-case.
See the discussion on Flyspray: https://bugs.lede-project.org/index.php?do=details&task_id=942 As a compromise between security and stability, it makes sense to merge this to lede-17.01 only, and keep SHA1 disabled in master. > > Signed-off-by: Baptiste Jonglez <g...@bitsofnetworks.org> > > --- > > package/libs/mbedtls/Makefile | 2 +- > > package/libs/mbedtls/patches/200-config.patch | 9 +++++++++ > > 2 files changed, 10 insertions(+), 1 deletion(-) > > > > diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile > > index 4cceb743d5..101324de07 100644 > > --- a/package/libs/mbedtls/Makefile > > +++ b/package/libs/mbedtls/Makefile > > @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk > > > > PKG_NAME:=mbedtls > > PKG_VERSION:=2.5.1 > > -PKG_RELEASE:=1 > > +PKG_RELEASE:=2 > > PKG_USE_MIPS16:=0 > > > > PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz > > diff --git a/package/libs/mbedtls/patches/200-config.patch > > b/package/libs/mbedtls/patches/200-config.patch > > index 39de3cc1ec..fb5a74fc65 100644 > > --- a/package/libs/mbedtls/patches/200-config.patch > > +++ b/package/libs/mbedtls/patches/200-config.patch > > @@ -269,3 +269,12 @@ > > > > /* \} name SECTION: mbed TLS modules */ > > > > +@@ -2646,7 +2646,7 @@ > > + * recommended because of it is possible to generte SHA-1 collisions, > > however > > + * this may be safe for legacy infrastructure where additional controls > > apply. > > + */ > > +-// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES > > ++#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES > > + > > + /** > > + * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake > _______________________________________________ > Lede-dev mailing list > Lede-dev@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/lede-dev
signature.asc
Description: PGP signature
_______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev