The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it
necessary to reallow them in certain deployments. Currently this works
by using the hack of using tls-cipher "DEFAULT:@SECLEVEL=0".
Add "insecure" as option to tls-cert-profile to allow setting a seclevel of 0.
Patch v4: fix default accidentially changed to insecure
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <
20211029112407.
2004234-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23076.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit
23efeb7a0bd9e0a6d997ae6e77e0e04170da3e67)
The following profiles are supported:
+ :code:`insecure`
+ Identical for mbed TLS to `legacy`
+
:code:`legacy` (default)
SHA1 and newer, RSA 2048-bit+, any elliptic curve.
This option is only fully supported for mbed TLS builds. OpenSSL builds
use the following approximation:
+ :code:`insecure`
+ sets "security level 0"
+
:code:`legacy` (default)
sets "security level 1"
void
tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
{
- if (!profile || 0 == strcmp(profile, "legacy"))
+ if (!profile || 0 == strcmp(profile, "legacy")
+ || 0 == strcmp(profile, "insecure"))
{
ctx->cert_profile = openvpn_x509_crt_profile_legacy;
}
{
SSL_CTX_set_security_level(ctx->ctx, 1);
}
+ else if (0 == strcmp(profile, "insecure"))
+ {
+ SSL_CTX_set_security_level(ctx->ctx, 0);
+ }
else if (0 == strcmp(profile, "preferred"))
{
SSL_CTX_set_security_level(ctx->ctx, 2);
projects / thirdparty / openvpn.git / commitdiff
