Set tls-version-max to 1.1 if cryptoapicert is used

OpenVPN's current cryptoapicert implementation does not support TLS 1.2
(and newer).  Fixing this requires a rewrite of our cryptoapi code to use
Microsofts' "Cryptography API: Next Generation", and several hacks to work
around that API.  As long as we don't fix that, make openvpn automatically
cap the TLS version to 1.1 when using cryptoapi (and tell the user we're
doing so).  This enables the user to use cryptoapi + TLS version
negotiation (upto TLS 1.1) without having to change his configuration.

This patch has been tested on Windows 8.1 for both the master and
release/2.3 branches.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1419762313-31233-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9361
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 5e8d9dccdfcdf6304884bd98323affb04c18448d..1e0284e0e46085afeae48a0a47687f6b2719c13b 100644 (file)
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2525,6 +2525,24 @@ options_postprocess_mutate (struct options *o)
        options_postprocess_http_proxy_override(o);
 #endif
 
+#ifdef ENABLE_CRYPTOAPI
+  if (o->cryptoapi_cert)
+    {
+      const int tls_version_max =
+         (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) &
+         SSLF_TLS_VERSION_MAX_MASK;
+
+      if (tls_version_max == TLS_VER_UNSPEC || tls_version_max > TLS_VER_1_1)
+       {
+         msg(M_WARN, "Warning: cryptapicert used, setting maximum TLS "
+             "version to 1.1.");
+         o->ssl_flags &= ~(SSLF_TLS_VERSION_MAX_MASK <<
+             SSLF_TLS_VERSION_MAX_SHIFT);
+         o->ssl_flags |= (TLS_VER_1_1 << SSLF_TLS_VERSION_MAX_SHIFT);
+       }
+    }
+#endif /* ENABLE_CRYPTOAPI */
+
 #if P2MP
   /*
    * Save certain parms before modifying options via --pull