Also: - Switching back to OpenSSL 1.0, via compat-openssl10 and compat-openssl10-pkcs11-helper (rhbz#1443749, rhbz#1432125, rhbz#1440468) - Re-enable --enable-x509-alt-username which got removed during the clean-up patches (rhbz#1443942) - Build with lz4 library from Fedoraepel8
parent
ba1a3a7077
commit
6d9dbb81c6
@ -1,50 +0,0 @@
|
|||||||
From 9e2c742b2d8ffc31db7590cfc4f29d2012dd8de1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: David Sommerseth <davids@openvpn.net>
|
|
||||||
Date: Thu, 23 Mar 2017 01:34:06 +0100
|
|
||||||
Subject: [PATCH] workaround: Allow weaker RSA keys and MD algorithms in Fedora
|
|
||||||
|
|
||||||
This patch hard codes an alternative mbed TLS profile to allow
|
|
||||||
RSA keys >= 1024 bits as well as SHA1 and RIPEMD160 hashing.
|
|
||||||
|
|
||||||
Signed-off-by: David Sommerseth <davids@openvpn.net>
|
|
||||||
---
|
|
||||||
src/openvpn/ssl_mbedtls.c | 23 +++++++++++++++++++++++
|
|
||||||
1 file changed, 23 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
|
|
||||||
index ba8dadf..05f8a48 100644
|
|
||||||
--- a/src/openvpn/ssl_mbedtls.c
|
|
||||||
+++ b/src/openvpn/ssl_mbedtls.c
|
|
||||||
@@ -932,6 +932,29 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
|
|
||||||
MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED);
|
|
||||||
#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
|
|
||||||
|
|
||||||
+ /* Fedora adoption - allow legacy certificates
|
|
||||||
+ * Taken from the OpenVPN 3 Core code base
|
|
||||||
+ */
|
|
||||||
+ const static mbedtls_x509_crt_profile crt_profile_legacy = {
|
|
||||||
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
|
|
||||||
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) |
|
|
||||||
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
|
|
||||||
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
|
|
||||||
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
|
|
||||||
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
|
|
||||||
+ -1, /* Any PK alg */
|
|
||||||
+ -1, /* Any curve */
|
|
||||||
+ 1024, /* Minimum size for RSA keys */
|
|
||||||
+ };
|
|
||||||
+ mbedtls_ssl_conf_cert_profile(&ks_ssl->ssl_config, &crt_profile_legacy);
|
|
||||||
+ static bool fedora_mod_info = false;
|
|
||||||
+ if (!fedora_mod_info) {
|
|
||||||
+ msg(M_INFO, "[Fedora modification] Switched mbed TLS certificate profile to legacy mode");
|
|
||||||
+ fedora_mod_info = true;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* End of Fedora adoption */
|
|
||||||
+
|
|
||||||
/* Initialise authentication information */
|
|
||||||
if (is_server)
|
|
||||||
{
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
@ -1,2 +1,2 @@
|
|||||||
SHA512 (openvpn-2.4.1.tar.xz) = d31ea5740c5aa1083c5f50b344fca0824210ca18ca77f22e08fd1b7866926aa61723545df9a34c12ca81b929efbeb20c43f11b17e1bfeb56c7bfcef67aae82d3
|
SHA512 (openvpn-2.4.2.tar.xz) = 438f16ac2d12dfd9f11ebcddebf709102046c71b4c4608a294da552587ea346d6ebb8c916f717bce992057754d6bc35ca1df5653fc907cc0003d9e34c92da963
|
||||||
SHA512 (openvpn-2.4.1.tar.xz.asc) = e9d646d135ea0b137dee05c181b9e89f3904b2c4fddeacf849f5aac1b76ba169fd930b17c130e9ce4e172c4beb7d626d9e086d970d5457e6b62662e49df00151
|
SHA512 (openvpn-2.4.2.tar.xz.asc) = 2deed80ef3b7017b2eb60931810c1902b855e9ba734caa012842227963c1ffe1ecb90b5912123ce0e4001e2dee52b9a735df91137562ed39e0a0bb24ac3f6ba5
|
||||||
|
Loading…
Reference in new issue