OpenSSL 3.0 deprecates SSL_CTX_set_tmp_ecdh() in favour of
SSL_CTX_set1_groups(3). We already support the SSL_CTX_set1_groups
using the --tls-groups. Adjust both mbed TLS and OpenSSL 3.0 to
say that --ecdh-curve is ingored and --tls-groups should be used.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <
20211019183127.614175-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22999.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
{
if (NULL != curve_name)
{
- msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an ECDH "
- "curve, using default curves.");
+ msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an "
+ "ECDH curve with --ecdh-curve, using default curves. Use "
+ "--tls-groups to specify curves.");
}
}
}
void
-tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
- )
+tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
{
-#ifndef OPENSSL_NO_EC
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ if (curve_name != NULL)
+ {
+ msg(M_WARN, "WARNING: OpenSSL 3.0+ builds do not support specifying an "
+ "ECDH curve with --ecdh-curve, using default curves. Use "
+ "--tls-groups to specify groups.");
+ }
+#elif !defined(OPENSSL_NO_EC)
int nid = NID_undef;
EC_KEY *ecdh = NULL;
const char *sname = NULL;
projects / thirdparty / openvpn.git / commitdiff
