From: Steffan Karger Date: Sun, 13 Jul 2014 09:26:32 +0000 (+0200) Subject: Define dummy SSL_OP_NO_TICKET flag if not present in OpenSSL. X-Git-Tag: v2.4_alpha1~392 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=97bd862ed5c22956cb4405eabae64cf55cabb0d3;p=thirdparty%2Fopenvpn.git Define dummy SSL_OP_NO_TICKET flag if not present in OpenSSL. This restores support for pre-0.9.8f OpenSSL versions, which do not include stateless session resumption, and the accompanying SSL_OP_NO_TICKET flag. Signed-off-by: Steffan Karger Acked-by: Gert Doering Message-Id: <53C251E2.7050605@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8902 Signed-off-by: Gert Doering --- diff --git a/configure.ac b/configure.ac index 117eaf60e..0d0ab88e9 100644 --- a/configure.ac +++ b/configure.ac @@ -814,25 +814,6 @@ if test "${have_openssl_crypto}" = "yes"; then LIBS="${saved_LIBS}" fi -if test "${enable_ssl}" = "yes" && test "${with_crypto_library}" = "openssl"; -then - saved_CPPFLAGS="${CPPFLAGS}" - CPPFLAGS="${CPPFLAGS} ${OPENSSL_CRYPTO_CFLAGS}" - AC_MSG_CHECKING([for SSL_OP_NO_TICKET flag in OpenSSL]) - AC_EGREP_CPP(have_ssl_op_no_ticket, [ - #include - #ifdef SSL_OP_NO_TICKET - have_ssl_op_no_ticket - #endif - ], [ - AC_MSG_RESULT([yes]) - ], [ - AC_MSG_RESULT([no]) - AC_ERROR([OpenVPN 2.4+ requires SSL_OP_NO_TICKET in OpenSSL]) - ]) - CPPFLAGS="${saved_CPPFLAGS}" -fi - AC_ARG_VAR([POLARSSL_CFLAGS], [C compiler flags for polarssl]) AC_ARG_VAR([POLARSSL_LIBS], [linker flags for polarssl]) have_polarssl_ssl="yes" diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h index fc2052cb6..97dc7422c 100644 --- a/src/openvpn/ssl_openssl.h +++ b/src/openvpn/ssl_openssl.h @@ -32,6 +32,17 @@ #include +/** + * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption", + * as this is something we do not want nor need, but could potentially be + * used for a future attack. For compatibility reasons we keep building if the + * OpenSSL version is too old (pre-0.9.8f) to support stateless session + * resumption (and the accompanying SSL_OP_NO_TICKET flag). + */ +#ifndef SSL_OP_NO_TICKET +# define SSL_OP_NO_TICKET 0 +#endif + /** * Structure that wraps the TLS context. Contents differ depending on the * SSL library used.