- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1 and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile) - Removed no-functional ./configure options - Use upstream tmfiles.d/openvpn - Package newer openvpn-client/server@.service unit filesepel8
parent
ee26d4439f
commit
983199849d
@ -0,0 +1,50 @@
|
|||||||
|
From 9e2c742b2d8ffc31db7590cfc4f29d2012dd8de1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: David Sommerseth <davids@openvpn.net>
|
||||||
|
Date: Thu, 23 Mar 2017 01:34:06 +0100
|
||||||
|
Subject: [PATCH] workaround: Allow weaker RSA keys and MD algorithms in Fedora
|
||||||
|
|
||||||
|
This patch hard codes an alternative mbed TLS profile to allow
|
||||||
|
RSA keys >= 1024 bits as well as SHA1 and RIPEMD160 hashing.
|
||||||
|
|
||||||
|
Signed-off-by: David Sommerseth <davids@openvpn.net>
|
||||||
|
---
|
||||||
|
src/openvpn/ssl_mbedtls.c | 23 +++++++++++++++++++++++
|
||||||
|
1 file changed, 23 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
|
||||||
|
index ba8dadf..05f8a48 100644
|
||||||
|
--- a/src/openvpn/ssl_mbedtls.c
|
||||||
|
+++ b/src/openvpn/ssl_mbedtls.c
|
||||||
|
@@ -932,6 +932,29 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
|
||||||
|
MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED);
|
||||||
|
#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
|
||||||
|
|
||||||
|
+ /* Fedora adoption - allow legacy certificates
|
||||||
|
+ * Taken from the OpenVPN 3 Core code base
|
||||||
|
+ */
|
||||||
|
+ const static mbedtls_x509_crt_profile crt_profile_legacy = {
|
||||||
|
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
|
||||||
|
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) |
|
||||||
|
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
|
||||||
|
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
|
||||||
|
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
|
||||||
|
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
|
||||||
|
+ -1, /* Any PK alg */
|
||||||
|
+ -1, /* Any curve */
|
||||||
|
+ 1024, /* Minimum size for RSA keys */
|
||||||
|
+ };
|
||||||
|
+ mbedtls_ssl_conf_cert_profile(&ks_ssl->ssl_config, &crt_profile_legacy);
|
||||||
|
+ static bool fedora_mod_info = false;
|
||||||
|
+ if (!fedora_mod_info) {
|
||||||
|
+ msg(M_INFO, "[Fedora modification] Switched mbed TLS certificate profile to legacy mode");
|
||||||
|
+ fedora_mod_info = true;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* End of Fedora adoption */
|
||||||
|
+
|
||||||
|
/* Initialise authentication information */
|
||||||
|
if (is_server)
|
||||||
|
{
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
@ -1 +0,0 @@
|
|||||||
D /var/run/openvpn 0710 root openvpn -
|
|
Loading…
Reference in new issue