From: Steffan Karger Date: Sat, 24 Feb 2018 17:04:49 +0000 (+0100) Subject: Warn if tls-version-max < tls-version-min X-Git-Tag: v2.4.5~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2d705accea3e53;p=thirdparty%2Fopenvpn.git Warn if tls-version-max < tls-version-min This adds warnings for when a user or our code tries to set a maximum TLS version that's smaller then the current configured minimum TLS version. (And fixes some related whitespace now I touch it anyway.) Signed-off-by: Steffan Karger Acked-by: Selva Nair Message-Id: <20180224170449.25194-1-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16545.html Signed-off-by: Gert Doering (cherry picked from commit f8a92a4393aae32fc44e03241b5cc891ca6e58a4) --- diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index f155123d0..89d253c3d 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -528,12 +528,18 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) if ((!max_version || max_version > TLS1_1_VERSION) && cd->key_spec != CERT_NCRYPT_KEY_SPEC) { - msg(M_WARN,"WARNING: cryptoapicert: private key is in a legacy store." + msg(M_WARN, "WARNING: cryptoapicert: private key is in a legacy store." " Restricting TLS version to 1.1"); + if (SSL_CTX_get_min_proto_version(ssl_ctx) > TLS1_1_VERSION) + { + msg(M_NONFATAL, + "ERROR: cryptoapicert: min TLS version larger than 1.1." + " Try config option --tls-version-min 1.1"); + goto err; + } if (!SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_1_VERSION)) { - msg(M_NONFATAL,"ERROR: cryptoapicert: unable to set max TLS version" - " to 1.1. Try config option --tls-version-min 1.1"); + msg(M_NONFATAL, "ERROR: cryptoapicert: set max TLS version failed"); goto err; } } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index a69a70796..c3152d0c1 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -662,10 +662,24 @@ EC_GROUP_order_bits(const EC_GROUP *group) #endif #ifndef SSL_CTX_get_min_proto_version -/** Dummy SSL_CTX_get_min_proto_version for OpenSSL < 1.1 (not really needed) */ +/** Return the min SSL protocol version currently enabled in the context. + * If no valid version >= TLS1.0 is found, return 0. */ static inline int SSL_CTX_get_min_proto_version(SSL_CTX *ctx) { + long sslopt = SSL_CTX_get_options(ctx); + if (!(sslopt & SSL_OP_NO_TLSv1)) + { + return TLS1_VERSION; + } + if (!(sslopt & SSL_OP_NO_TLSv1_1)) + { + return TLS1_1_VERSION; + } + if (!(sslopt & SSL_OP_NO_TLSv1_2)) + { + return TLS1_2_VERSION; + } return 0; } #endif /* SSL_CTX_get_min_proto_version */ @@ -680,18 +694,18 @@ SSL_CTX_get_max_proto_version(SSL_CTX *ctx) #ifdef SSL_OP_NO_TLSv1_2 if (!(sslopt & SSL_OP_NO_TLSv1_2)) { - return TLS1_2_VERSION; + return TLS1_2_VERSION; } #endif #ifdef SSL_OP_NO_TLSv1_1 if (!(sslopt & SSL_OP_NO_TLSv1_1)) { - return TLS1_1_VERSION; + return TLS1_1_VERSION; } #endif if (!(sslopt & SSL_OP_NO_TLSv1)) { - return TLS1_VERSION; + return TLS1_VERSION; } return 0; } diff --git a/src/openvpn/options.c b/src/openvpn/options.c index c9f1773af..3f9164c78 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2556,6 +2556,18 @@ options_postprocess_verify_ce(const struct options *options, const struct connec "in the configuration file, which is the recommended approach."); } + const int tls_version_max = + (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) + & SSLF_TLS_VERSION_MAX_MASK; + const int tls_version_min = + (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) + & SSLF_TLS_VERSION_MIN_MASK; + + if (tls_version_max > 0 && tls_version_max < tls_version_min) + { + msg(M_USAGE, "--tls-version-min bigger than --tls-version-max"); + } + if (options->tls_server || options->tls_client) { #ifdef ENABLE_PKCS11