For OpenSSL, this means to use TLSv1_(client|server)_method rather
than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags
for specific TLS versions to disable.
For PolarSSL, this means to implicitly control the TLS version via allowed
ciphersuites.
Point out off-by-default-now setting in the openvpn(8) man page.
This patch is only included in the release/2.3 branch, because it's a
stopgap measure. 2.4 will have it on-by-default, when the remaining
handshake problems are fully debugged and solved.
Signed-off-by: James Yonan <james@openvpn.net>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: James Yonan <james@openvpn.net>
Message-Id: <
535EC5FE.
6060302@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8665
Signed-off-by: Gert Doering <gert@greenie.muc.de>
.\"*********************************************************
.TP
.B \-\-tls-version-min version ['or-highest']
-Sets the minimum
+Enable TLS version negotiation, and set the minimum
TLS version we will accept from the peer (default is "1.0").
Examples for version
include "1.0", "1.1", or "1.2". If 'or-highest' is specified
and version is not recognized, we will only accept the highest TLS
version supported by the local SSL implementation.
+
+If this options is not set, the code in OpenVPN 2.3.4 will default
+to using TLS 1.0 only, without any version negotiation. This reverts
+the beaviour to what OpenVPN versions up to 2.3.2 did, as it turned
+out that TLS version negotiation can lead to handshake problems due
+to new signature algorithms in TLS 1.2.
.\"*********************************************************
.TP
.B \-\-pkcs12 file
if (options->tls_server)
{
- tls_ctx_server_new(new_ctx);
+ tls_ctx_server_new(new_ctx, options->ssl_flags);
tls_ctx_load_dh_params(new_ctx, options->dh_file, options->dh_file_inline);
}
else /* if client */
{
- tls_ctx_client_new(new_ctx);
+ tls_ctx_client_new(new_ctx, options->ssl_flags);
}
tls_ctx_set_options(new_ctx, options->ssl_flags);
* @return One of the TLS_VER_x constants or TLS_VER_BAD
* if a parse error should be flagged.
*/
-#define TLS_VER_BAD -1
-#define TLS_VER_1_0 0 /* default */
-#define TLS_VER_1_1 1
-#define TLS_VER_1_2 2
+#define TLS_VER_BAD -1
+#define TLS_VER_UNSPEC 0 /* default */
+#define TLS_VER_1_0 1
+#define TLS_VER_1_1 2
+#define TLS_VER_1_2 3
int tls_version_min_parse(const char *vstr, const char *extra);
/**
* Initialise a library-specific TLS context for a server.
*
* @param ctx TLS context to initialise
+ * @param ssl_flags SSLF_x flags from ssl_common.h
*/
-void tls_ctx_server_new(struct tls_root_ctx *ctx);
+void tls_ctx_server_new(struct tls_root_ctx *ctx, unsigned int ssl_flags);
/**
* Initialises a library-specific TLS context for a client.
*
* @param ctx TLS context to initialise
+ * @param ssl_flags SSLF_x flags from ssl_common.h
*/
-void tls_ctx_client_new(struct tls_root_ctx *ctx);
+void tls_ctx_client_new(struct tls_root_ctx *ctx, unsigned int ssl_flags);
/**
* Frees the library-specific TLSv1 context
}
void
-tls_ctx_server_new(struct tls_root_ctx *ctx)
+tls_ctx_server_new(struct tls_root_ctx *ctx, unsigned int ssl_flags)
{
+ const int tls_version_min = (ssl_flags >> SSLF_TLS_VERSION_SHIFT) & SSLF_TLS_VERSION_MASK;
+
ASSERT(NULL != ctx);
- ctx->ctx = SSL_CTX_new (SSLv23_server_method ());
+ if (tls_version_min > TLS_VER_UNSPEC)
+ ctx->ctx = SSL_CTX_new (SSLv23_server_method ());
+ else
+ ctx->ctx = SSL_CTX_new (TLSv1_server_method ());
if (ctx->ctx == NULL)
msg (M_SSLERR, "SSL_CTX_new SSLv23_server_method");
}
void
-tls_ctx_client_new(struct tls_root_ctx *ctx)
+tls_ctx_client_new(struct tls_root_ctx *ctx, unsigned int ssl_flags)
{
+ const int tls_version_min = (ssl_flags >> SSLF_TLS_VERSION_SHIFT) & SSLF_TLS_VERSION_MASK;
+
ASSERT(NULL != ctx);
- ctx->ctx = SSL_CTX_new (SSLv23_client_method ());
+ if (tls_version_min > TLS_VER_UNSPEC)
+ ctx->ctx = SSL_CTX_new (SSLv23_client_method ());
+ else
+ ctx->ctx = SSL_CTX_new (TLSv1_client_method ());
if (ctx->ctx == NULL)
msg (M_SSLERR, "SSL_CTX_new SSLv23_client_method");
}
void
-tls_ctx_server_new(struct tls_root_ctx *ctx)
+tls_ctx_server_new(struct tls_root_ctx *ctx, unsigned int ssl_flags)
{
ASSERT(NULL != ctx);
CLEAR(*ctx);
}
void
-tls_ctx_client_new(struct tls_root_ctx *ctx)
+tls_ctx_client_new(struct tls_root_ctx *ctx, unsigned int ssl_flags)
{
ASSERT(NULL != ctx);
CLEAR(*ctx);
projects / thirdparty / openvpn.git / commitdiff
