diff options
| author | Arne Schwabe | 2021-10-29 13:24:07 +0200 |
|---|---|---|
| committer | Gert Doering | 2022-05-04 10:43:47 +0200 |
| commit | 7b1b100557608db8a311d06f7578ceb7c4d33aa6 (patch) | |
| tree | c79c49b96cb178d7990a94a05cca6912c2f5ca46 | |
| parent | f89b07831e8a6d0819b32d2fd6b15f430941ebcb (diff) | |
| download | openvpn-7b1b100557608db8a311d06f7578ceb7c4d33aa6.zip openvpn-7b1b100557608db8a311d06f7578ceb7c4d33aa6.tar.gz | |
Add insecure tls-cert-profile options
The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it
necessary to reallow them in certain deployments. Currently this works
by using the hack of using tls-cipher "DEFAULT:@SECLEVEL=0".
Add "insecure" as option to tls-cert-profile to allow setting a seclevel of 0.
Patch v4: fix default accidentially changed to insecure
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211029112407.2004234-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23076.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 23efeb7a0bd9e0a6d997ae6e77e0e04170da3e67)
| -rw-r--r-- | doc/man-sections/tls-options.rst | 6 | ||||
| -rw-r--r-- | src/openvpn/ssl_mbedtls.c | 3 | ||||
| -rw-r--r-- | src/openvpn/ssl_openssl.c | 4 |
3 files changed, 12 insertions, 1 deletions
diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index f0b6d3d..b7f4473 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -369,6 +369,9 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa The following profiles are supported: + :code:`insecure` + Identical for mbed TLS to `legacy` + :code:`legacy` (default) SHA1 and newer, RSA 2048-bit+, any elliptic curve. @@ -381,6 +384,9 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa This option is only fully supported for mbed TLS builds. OpenSSL builds use the following approximation: + :code:`insecure` + sets "security level 0" + :code:`legacy` (default) sets "security level 1" diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 4a64e6d..be0e57f 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -330,7 +330,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { - if (!profile || 0 == strcmp(profile, "legacy")) + if (!profile || 0 == strcmp(profile, "legacy") + || 0 == strcmp(profile, "insecure")) { ctx->cert_profile = openvpn_x509_crt_profile_legacy; } diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 595057d..0163318 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -551,6 +551,10 @@ tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { SSL_CTX_set_security_level(ctx->ctx, 1); } + else if (0 == strcmp(profile, "insecure")) + { + SSL_CTX_set_security_level(ctx->ctx, 0); + } else if (0 == strcmp(profile, "preferred")) { SSL_CTX_set_security_level(ctx->ctx, 2); |