Add --tls-version-max

Because using TLS 1.2 breaks certain setups, a user might want to enforce a maximum TLS version to use. This patch adds that option. This patch removes a number of #ifdefs from ssl_polarssl.c, because the polarssl versions we currently support (polar 1.2 for openvpn 2.3, and polar 1.3 for openvpn-master) have all versions unconditionally enabled. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <544EC052.3080809@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9210 Signed-off-by: Gert Doering <gert@greenie.muc.de>
author: Steffan Karger <steffan.karger@fox-it.com> 2014-09-05 12:38:04 +0200
committer: Gert Doering <gert@greenie.muc.de> 2014-11-14 15:12:08 +0100
commit: c80727650461e49525eefcbc741c8245d7787ba4 (patch)
tree: 4b4f5a51b52699fc42f7512873b36c2b6b35e9fc /src/openvpn/options.c
parent: 44294568a113a7c54ce7fca86b4014c9d1168888 (diff)
download: openvpn-c80727650461e49525eefcbc741c8245d7787ba4.tar.gz
openvpn-c80727650461e49525eefcbc741c8245d7787ba4.tar.xz
openvpn-c80727650461e49525eefcbc741c8245d7787ba4.zip
1 files changed, 19 insertions, 3 deletions
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index fa53a17..d91bb63 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -572,6 +572,7 @@ static const char usage_message[] =
   "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
   "    will accept from the peer.  If version is unrecognized and 'or-highest'\n"
   "    is specified, require max TLS version supported by SSL implementation.\n"
+  "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
 #ifndef ENABLE_CRYPTO_POLARSSL
   "--pkcs12 file   : PKCS#12 file containing local private key, local certificate\n"
   "                  and optionally the root CA certificate.\n"
@@ -6570,14 +6571,29 @@ add_option (struct options *options,
     {
       int ver;
       VERIFY_PERMISSION (OPT_P_GENERAL);
-      ver = tls_version_min_parse(p[1], p[2]);
+      ver = tls_version_parse(p[1], p[2]);
       if (ver == TLS_VER_BAD)
 	{
 	  msg (msglevel, "unknown tls-version-min parameter: %s", p[1]);
           goto err;
 	}
-      options->ssl_flags &= ~(SSLF_TLS_VERSION_MASK << SSLF_TLS_VERSION_SHIFT);
-      options->ssl_flags |= (ver << SSLF_TLS_VERSION_SHIFT);
+      options->ssl_flags &=
+	  ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
+      options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
+    }
+  else if (streq (p[0], "tls-version-max") && p[1])
+    {
+      int ver;
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      ver = tls_version_parse(p[1], NULL);
+      if (ver == TLS_VER_BAD)
+	{
+	  msg (msglevel, "unknown tls-version-max parameter: %s", p[1]);
+          goto err;
+	}
+      options->ssl_flags &=
+	  ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
+      options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT);
     }
 #ifndef ENABLE_CRYPTO_POLARSSL
   else if (streq (p[0], "pkcs12") && p[1])
author	Steffan Karger <steffan.karger@fox-it.com>	2014-09-05 12:38:04 +0200
committer	Gert Doering <gert@greenie.muc.de>	2014-11-14 15:12:08 +0100
commit	c80727650461e49525eefcbc741c8245d7787ba4 (patch)
tree	4b4f5a51b52699fc42f7512873b36c2b6b35e9fc /src/openvpn/options.c
parent	44294568a113a7c54ce7fca86b4014c9d1168888 (diff)
download	openvpn-c80727650461e49525eefcbc741c8245d7787ba4.tar.gz openvpn-c80727650461e49525eefcbc741c8245d7787ba4.tar.xz openvpn-c80727650461e49525eefcbc741c8245d7787ba4.zip