Set tls-version-max to 1.1 if cryptoapicert is used

OpenVPN's current cryptoapicert implementation does not support TLS 1.2
(and newer).  Fixing this requires a rewrite of our cryptoapi code to use
Microsofts' "Cryptography API: Next Generation", and several hacks to work
around that API.  As long as we don't fix that, make openvpn automatically
cap the TLS version to 1.1 when using cryptoapi (and tell the user we're
doing so).  This enables the user to use cryptoapi + TLS version
negotiation (upto TLS 1.1) without having to change his configuration.

This patch has been tested on Windows 8.1 for both the master and
release/2.3 branches.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1419762313-31233-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9361
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 04dcb96cc1f525afee3f830248ecaa22d1b4a4c2)

1 files changed, 18 insertions, 0 deletions

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index f6e41a9..dd79da4 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2553,6 +2553,24 @@ options_postprocess_mutate (struct options *o)
   else
     options_postprocess_mutate_ce (o, &o->ce);  
 
+#ifdef ENABLE_CRYPTOAPI
+  if (o->cryptoapi_cert)
+    {
+      const int tls_version_max =
+	  (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) &
+	  SSLF_TLS_VERSION_MAX_MASK;
+
+      if (tls_version_max == TLS_VER_UNSPEC || tls_version_max > TLS_VER_1_1)
+	{
+	  msg(M_WARN, "Warning: cryptapicert used, setting maximum TLS "
+	      "version to 1.1.");
+	  o->ssl_flags &= ~(SSLF_TLS_VERSION_MAX_MASK <<
+	      SSLF_TLS_VERSION_MAX_SHIFT);
+	  o->ssl_flags |= (TLS_VER_1_1 << SSLF_TLS_VERSION_MAX_SHIFT);
+	}
+    }
+#endif /* ENABLE_CRYPTOAPI */
+
 #if P2MP
   /*
    * Save certain parms before modifying options via --pull