]> git.ipfire.org Git - thirdparty/openvpn.git/commitdiff
projects / thirdparty / openvpn.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0ea5126)
mbedtls: Warn if --tls-version-min is too low
authorMax Fillinger <maximilian.fillinger@foxcrypto.com>
Wed, 3 Jul 2024 17:41:58 +0000 (19:41 +0200)
committerGert Doering <gert@greenie.muc.de>
Wed, 3 Jul 2024 20:08:17 +0000 (22:08 +0200)
Recent versions of mbedtls only support TLS 1.2. When the minimum
version is set to TLS 1.0 or 1.1, log a warning and use 1.2 as the
actual minimum version.

Change-Id: Ibc641388d8016533c94dfef3618376f6dfa91f4e
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240703174158.7137-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28865.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
src/openvpn/options.c patch | blob | blame | history

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index dbe1425b6b9168e46026f88aa84db8deb06a9e9f..64e67aa79d32c3e337df2c5b288efcacd3983bfa 100644 (file)
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -8942,6 +8942,15 @@ add_option(struct options *options,
             msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
             goto err;
         }
+
+#ifdef ENABLE_CRYPTO_MBEDTLS
+        if (ver < TLS_VER_1_2)
+        {
+            msg(M_WARN, "--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]);
+            ver = TLS_VER_1_2;
+        }
+#endif
+
         options->ssl_flags &=
             ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
         options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
Mirror of https://github.com/OpenVPN/openvpn.git