From: Antonio Quartulli Date: Mon, 13 Sep 2021 19:29:29 +0000 (+0200) Subject: Set TLS 1.2 as minimum by default X-Git-Tag: v2.6_beta1~431 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=968569f83b1561ea4dff5b8b1f0d7768e2a18e69;p=thirdparty%2Fopenvpn.git Set TLS 1.2 as minimum by default Do not accept handshakes with peers trying to negotiate TLS lower than 1.2. TLS 1.1 and 1.0 are not recommended and therefore we will, by default, allow TLS 1.2 as minimum version. The minimum allowed version can still be controlled via '--tls-version-min'. At the same time automatically set '--tls-version-min' to 1.0 if the user requires compatibility with versions onlder than 2.3.7, as that was the only version supported back then. Signed-off-by: Arne Schwabe Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Message-Id: <20210913192929.26391-1-a@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22838.html Signed-off-by: Gert Doering --- diff --git a/Changes.rst b/Changes.rst index 2393e31d5..d24b6d20f 100644 --- a/Changes.rst +++ b/Changes.rst @@ -71,6 +71,11 @@ Deprecated features This option mainly served a role as debug option when NCP was first introduced. It should now no longer be necessary. +TLS 1.0 and 1.1 are deprecated + ``tls-version-min`` is set to 1.2 by default. OpenVPN 2.6.0 defaults + to a minimum TLS version of 1.2 as TLS 1.0 and 1.1 should be generally + avoided. Note that OpenVPN versions older than 2.3.7 use TLS 1.0 only. + ``--cipher`` argument is no longer appended to ``--data-ciphers`` by default. Data cipher negotiation has been introduced in 2.4.0 and been significantly improved in 2.5.0. The implicit fallback diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 3e099e129..e6c1fe455 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -70,6 +70,8 @@ which mode OpenVPN is configured as. ``--data-ciphers`` - 2.3.x or lower: ``--data-cipher-fallback`` is automatically added with the same cipher as ``--cipher`` + - 2.3.6 or lower: ``--tls-version-min 1.0`` is added to the configuration + when ``--tls-version-min`` is not explicitly set. --config file Load additional config options from ``file`` where each line corresponds diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 00ea063af..eaf38395d 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -545,8 +545,8 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa them. --tls-version-min args - Sets the minimum TLS version we will accept from the peer (default is - "1.0"). + Sets the minimum TLS version we will accept from the peer (default in + 2.6.0 and later is "1.2"). Valid syntax: :: diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 4b6655d92..b3a83aa12 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3164,6 +3164,21 @@ need_compatibility_before(const struct options *o, unsigned int version) static void options_set_backwards_compatible_options(struct options *o) { + /* TLS min version is not set */ + if ((o->ssl_flags & SSLF_TLS_VERSION_MIN_MASK) == 0) + { + if (need_compatibility_before(o, 20307)) + { + /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */ + o->ssl_flags = (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT); + } + else + { + /* Use TLS 1.2 as proper default */ + o->ssl_flags = (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT); + } + } + /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers. * Version 2.4 might probably does not need it but NCP was not so * good with 2.4 and ncp-disable might be more common on 2.4 peers.