Re: [Openvpn-devel] tls fix for upcoming 2.4.5

2018-03-01 Thread Selva Nair 
Hi,


>
>> --- openvpn-2.4.5/src/openvpn/openssl_compat.h.orig 2018-02-28 
>> 21:56:54.0 +0100
>> +++ openvpn-2.4.5/src/openvpn/openssl_compat.h 2018-03-01 11:44:57.0 
>> +0100
>> @@ -672,14 +672,18 @@
>>  {
>>  return TLS1_VERSION;
>>  }
>> +#ifdef SSL_OP_NO_TLSv1_1
>>  if (!(sslopt & SSL_OP_NO_TLSv1_1))
>>  {
>>  return TLS1_1_VERSION;
>>  }
>> +#endif
>> +#ifdef SSL_OP_NO_TLSv1_2
>>  if (!(sslopt & SSL_OP_NO_TLSv1_2))
>>  {
>>  return TLS1_2_VERSION;
>>  }
>> +#endif
>>  return 0;
>>  }
>>
>> #endif /* SSL_CTX_get_min_proto_version */
>
> These ifdefs are needed for older openssl (e.g., 0.9.8), but how did we miss 
> it?
>
> Turns out commit 2d705accea3e538a555631ef7c39eb4bc4fd4acf cherry-picked
> from f8a92a4393a was not fully ripe..
>
> As we do not support Windows build using pre 1.0 openssl, this is the
> only change needed. So ACK, assuming a commit message and Author: may
> be slapped on during merge.
>
> Acked-by: Selva Nair 

Forgot to add: 2.4 only.  Master is good as is.

Selva

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] tls fix for upcoming 2.4.5

2018-03-01 Thread Selva Nair 
On Thu, Mar 1, 2018 at 6:14 AM, Simon Matter  wrote:
> Hi,
>
> I've just done some test builds with 2.4.5 tagged version.
>
> Attached patch makes it build with older systems. Do you see any issue
> with the change?

.. from the attachment

> --- openvpn-2.4.5/src/openvpn/openssl_compat.h.orig 2018-02-28 
> 21:56:54.0 +0100
> +++ openvpn-2.4.5/src/openvpn/openssl_compat.h 2018-03-01 11:44:57.0 
> +0100
> @@ -672,14 +672,18 @@
>  {
>  return TLS1_VERSION;
>  }
> +#ifdef SSL_OP_NO_TLSv1_1
>  if (!(sslopt & SSL_OP_NO_TLSv1_1))
>  {
>  return TLS1_1_VERSION;
>  }
> +#endif
> +#ifdef SSL_OP_NO_TLSv1_2
>  if (!(sslopt & SSL_OP_NO_TLSv1_2))
>  {
>  return TLS1_2_VERSION;
>  }
> +#endif
>  return 0;
>  }
>
> #endif /* SSL_CTX_get_min_proto_version */

These ifdefs are needed for older openssl (e.g., 0.9.8), but how did we miss it?

Turns out commit 2d705accea3e538a555631ef7c39eb4bc4fd4acf cherry-picked
from f8a92a4393a was not fully ripe..

As we do not support Windows build using pre 1.0 openssl, this is the
only change needed. So ACK, assuming a commit message and Author: may
be slapped on during merge.

Acked-by: Selva Nair 

Selva

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] tls fix for upcoming 2.4.5

2018-03-01 Thread Gert Doering 
Hi,

On Thu, Mar 01, 2018 at 12:14:06PM +0100, Simon Matter wrote:
> I've just done some test builds with 2.4.5 tagged version.
> 
> Attached patch makes it build with older systems. Do you see any issue
> with the change?

As a side note: this won't make 2.4.5 release, which is already "mostly
done" (things are built, release announcement coming) - but if it's
needed I see no issue with having it in 2.4.6, and release that "quicker
than only in 5 month time" :-)

gert
-- 
now what should I write here...

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] tls fix for upcoming 2.4.5

2018-03-01 Thread Gert Doering 
Hi,

On Thu, Mar 01, 2018 at 12:14:06PM +0100, Simon Matter wrote:
> I've just done some test builds with 2.4.5 tagged version.
> 
> Attached patch makes it build with older systems. Do you see any issue
> with the change?

Which SSL library version needs this?

(I thought we have test systems for everything we officially support, plus
a few more to catch avoidable LibreSSL breakage etc)

gert

-- 
now what should I write here...

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] tls fix for upcoming 2.4.5

2018-03-01 Thread Simon Matter 
Hi,

I've just done some test builds with 2.4.5 tagged version.

Attached patch makes it build with older systems. Do you see any issue
with the change?

Regards,
Simon--- openvpn-2.4.5/src/openvpn/openssl_compat.h.orig	2018-02-28 21:56:54.0 +0100
+++ openvpn-2.4.5/src/openvpn/openssl_compat.h	2018-03-01 11:44:57.0 +0100
@@ -672,14 +672,18 @@
 {
 return TLS1_VERSION;
 }
+#ifdef SSL_OP_NO_TLSv1_1
 if (!(sslopt & SSL_OP_NO_TLSv1_1))
 {
 return TLS1_1_VERSION;
 }
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
 if (!(sslopt & SSL_OP_NO_TLSv1_2))
 {
 return TLS1_2_VERSION;
 }
+#endif
 return 0;
 }
 #endif /* SSL_CTX_get_min_proto_version */--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel