Bug#871987: [Pkg-openssl-devel] Bug#871987: openvpn

2017-08-26 Thread Gedalya 
On 08/26/2017 02:58 AM, Kurt Roeckx wrote:

> openvpn doesn't seem to make use of the
> SSL_CTX_set_min_proto_version() function yet. I've attached a
> patch that I didn't even try to compile that I think should do the
> right thing.
>
Thanks for this!
It now connects fine with the setting 'tls-version-min 1.0'
Everything seems to work fine, including the 5 other tunnels on this box.

Perhaps this would be of interest to OpenVPN upstream?

Bug#871987: [Pkg-openssl-devel] Bug#871987: openvpn

2017-08-25 Thread Kurt Roeckx 
On Fri, Aug 25, 2017 at 11:07:16PM +0800, Gedalya wrote:
> I tried openssl 1.1.0f-5 and it is indeed better with e.g. s_client.

After the upload I've been wondering if I should change it to
default set the minimum version to 1.0 again.


> However, I've locally built openvpn (and pkcs11-helper) with openssl 1.1.0.
> I'm not sure whether this is a bug with openvpn or an issue with this latest
> patch to openssl, but I've tried both these settings:
> 
> tls-version-min 1.0
> tls-version-max 1.0
> 
> in an openvpn client config, connecting to an old server supporting only
> TLS 1.0, and it doesn't work. It did of course work with with openssl 
> 1.1.0f-3.
> with 1.1.0f-5, I get:

openvpn doesn't seem to make use of the
SSL_CTX_set_min_proto_version() function yet. I've attached a
patch that I didn't even try to compile that I think should do the
right thing.


Kurt

--- src/openvpn/ssl_openssl.c.bak	2017-08-25 20:47:07.613021515 +0200
+++ src/openvpn/ssl_openssl.c	2017-08-25 20:56:45.152987547 +0200
@@ -215,6 +215,19 @@
 #endif
 }
 
+/* convert internal version number to openssl version number */
+static int
+openssl_tls_version(int ver)
+{
+if (ver == TLS_VER_1_0)
+return TLS1_VERSION;
+else if (ver == TLS_VER_1_1)
+return TLS1_1_VERSION;
+else if (ver == TLS_VER_1_2)
+return TLS1_2_VERSION;
+return 0;
+}
+
 void
 tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
 {
@@ -232,6 +245,14 @@
 
 tls_ver_max =
 (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
+
+#if OPENSSL_VERSION_NUMBER >= 0x1010
+SSL_CTX_set_min_proto_version(ctx->ctx, openssl_tls_version(tls_ver_min));
+if (tls_ver_max <= TLS_VER_UNSPEC)
+{
+SSL_CTX_set_max_proto_version(ctx->ctx, openssl_tls_version(tls_ver_max));
+}
+#else /* OPENSSL_VERSION_NUMBER >= 0x1010*/
 if (tls_ver_max <= TLS_VER_UNSPEC)
 {
 tls_ver_max = tls_version_max();
@@ -253,6 +274,7 @@
 sslopt |= SSL_OP_NO_TLSv1_2;
 }
 #endif
+#endif /* OPENSSL_VERSION_NUMBER */
 #ifdef SSL_OP_NO_COMPRESSION
 /* Disable compression - flag not available in OpenSSL 0.9.8 */
 sslopt |= SSL_OP_NO_COMPRESSION;