From: Arne Schwabe <arne@rfc2549.org>
Date: Fri, 29 Oct 2021 11:24:07 +0000 (+0200)
Subject: Add insecure tls-cert-profile options
X-Git-Tag: v2.5.7~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b1b100557608db8a311d06f7578ceb7c4d33aa6;p=thirdparty%2Fopenvpn.git

Add insecure tls-cert-profile options

The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it
necessary to reallow them in certain deployments. Currently this works
by using the hack of using tls-cipher "DEFAULT:@SECLEVEL=0".

Add "insecure" as option to tls-cert-profile to allow setting a seclevel of 0.

Patch v4: fix default accidentially changed to insecure

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211029112407.2004234-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23076.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 23efeb7a0bd9e0a6d997ae6e77e0e04170da3e67)
---

diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst
index f0b6d3dc5..b7f447391 100644
--- a/doc/man-sections/tls-options.rst
+++ b/doc/man-sections/tls-options.rst
@@ -369,6 +369,9 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa
 
   The following profiles are supported:
 
+  :code:`insecure`
+      Identical for mbed TLS to `legacy`
+
   :code:`legacy` (default)
       SHA1 and newer, RSA 2048-bit+, any elliptic curve.
 
@@ -381,6 +384,9 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa
   This option is only fully supported for mbed TLS builds. OpenSSL builds
   use the following approximation:
 
+  :code:`insecure`
+      sets "security level 0"
+
   :code:`legacy` (default)
       sets "security level 1"
 
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 4a64e6d33..be0e57f15 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -330,7 +330,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
 void
 tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
 {
-    if (!profile || 0 == strcmp(profile, "legacy"))
+    if (!profile || 0 == strcmp(profile, "legacy")
+        || 0 == strcmp(profile, "insecure"))
     {
         ctx->cert_profile = openvpn_x509_crt_profile_legacy;
     }
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 595057d63..016331897 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -551,6 +551,10 @@ tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
     {
         SSL_CTX_set_security_level(ctx->ctx, 1);
     }
+    else if (0 == strcmp(profile, "insecure"))
+    {
+        SSL_CTX_set_security_level(ctx->ctx, 0);
+    }
     else if (0 == strcmp(profile, "preferred"))
     {
         SSL_CTX_set_security_level(ctx->ctx, 2);