Re: [Openvpn-devel] tls fix for upcoming 2.4.5
Hi, > >> --- openvpn-2.4.5/src/openvpn/openssl_compat.h.orig 2018-02-28 >> 21:56:54.0 +0100 >> +++ openvpn-2.4.5/src/openvpn/openssl_compat.h 2018-03-01 11:44:57.0 >> +0100 >> @@ -672,14 +672,18 @@ >> { >> return TLS1_VERSION; >> } >> +#ifdef SSL_OP_NO_TLSv1_1 >> if (!(sslopt & SSL_OP_NO_TLSv1_1)) >> { >> return TLS1_1_VERSION; >> } >> +#endif >> +#ifdef SSL_OP_NO_TLSv1_2 >> if (!(sslopt & SSL_OP_NO_TLSv1_2)) >> { >> return TLS1_2_VERSION; >> } >> +#endif >> return 0; >> } >> >> #endif /* SSL_CTX_get_min_proto_version */ > > These ifdefs are needed for older openssl (e.g., 0.9.8), but how did we miss > it? > > Turns out commit 2d705accea3e538a555631ef7c39eb4bc4fd4acf cherry-picked > from f8a92a4393a was not fully ripe.. > > As we do not support Windows build using pre 1.0 openssl, this is the > only change needed. So ACK, assuming a commit message and Author: may > be slapped on during merge. > > Acked-by: Selva Nair Forgot to add: 2.4 only. Master is good as is. Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] tls fix for upcoming 2.4.5
> Hi, > > On Thu, Mar 01, 2018 at 12:14:06PM +0100, Simon Matter wrote: >> I've just done some test builds with 2.4.5 tagged version. >> >> Attached patch makes it build with older systems. Do you see any issue >> with the change? > > Which SSL library version needs this? > > (I thought we have test systems for everything we officially support, plus > a few more to catch avoidable LibreSSL breakage etc) I saw that the #ifdefs were forgotten there, because they exist in other places of the same file but didn't make it into the separate more recent commit. Anyway, it's for RHEL5, which is still supported for RedHat customers or CERN Linux 5 users (SLC5). I know OpenVPN officially doesn't care for it anymore but I do :-) Regards, Simon -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] tls fix for upcoming 2.4.5
On Thu, Mar 1, 2018 at 6:14 AM, Simon Matter wrote: > Hi, > > I've just done some test builds with 2.4.5 tagged version. > > Attached patch makes it build with older systems. Do you see any issue > with the change? .. from the attachment > --- openvpn-2.4.5/src/openvpn/openssl_compat.h.orig 2018-02-28 > 21:56:54.0 +0100 > +++ openvpn-2.4.5/src/openvpn/openssl_compat.h 2018-03-01 11:44:57.0 > +0100 > @@ -672,14 +672,18 @@ > { > return TLS1_VERSION; > } > +#ifdef SSL_OP_NO_TLSv1_1 > if (!(sslopt & SSL_OP_NO_TLSv1_1)) > { > return TLS1_1_VERSION; > } > +#endif > +#ifdef SSL_OP_NO_TLSv1_2 > if (!(sslopt & SSL_OP_NO_TLSv1_2)) > { > return TLS1_2_VERSION; > } > +#endif > return 0; > } > > #endif /* SSL_CTX_get_min_proto_version */ These ifdefs are needed for older openssl (e.g., 0.9.8), but how did we miss it? Turns out commit 2d705accea3e538a555631ef7c39eb4bc4fd4acf cherry-picked from f8a92a4393a was not fully ripe.. As we do not support Windows build using pre 1.0 openssl, this is the only change needed. So ACK, assuming a commit message and Author: may be slapped on during merge. Acked-by: Selva Nair Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] tls fix for upcoming 2.4.5
Hi, On Thu, Mar 01, 2018 at 12:14:06PM +0100, Simon Matter wrote: > I've just done some test builds with 2.4.5 tagged version. > > Attached patch makes it build with older systems. Do you see any issue > with the change? As a side note: this won't make 2.4.5 release, which is already "mostly done" (things are built, release announcement coming) - but if it's needed I see no issue with having it in 2.4.6, and release that "quicker than only in 5 month time" :-) gert -- now what should I write here... Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] tls fix for upcoming 2.4.5
Hi, On Thu, Mar 01, 2018 at 12:14:06PM +0100, Simon Matter wrote: > I've just done some test builds with 2.4.5 tagged version. > > Attached patch makes it build with older systems. Do you see any issue > with the change? Which SSL library version needs this? (I thought we have test systems for everything we officially support, plus a few more to catch avoidable LibreSSL breakage etc) gert -- now what should I write here... Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel