Set tls-version-max to 1.1 if cryptoapicert is used

OpenVPN's current cryptoapicert implementation does not support TLS 1.2
(and newer).  Fixing this requires a rewrite of our cryptoapi code to use
Microsofts' "Cryptography API: Next Generation", and several hacks to work
around that API.  As long as we don't fix that, make openvpn automatically
cap the TLS version to 1.1 when using cryptoapi (and tell the user we're
doing so).  This enables the user to use cryptoapi + TLS version
negotiation (upto TLS 1.1) without having to change his configuration.

This patch has been tested on Windows 8.1 for both the master and
release/2.3 branches.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1419762313-31233-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9361
Signed-off-by: Gert Doering <gert@greenie.muc.de>

1 files changed, 18 insertions, 0 deletions

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 5e8d9dc..1e0284e 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2525,6 +2525,24 @@ options_postprocess_mutate (struct options *o)
 	options_postprocess_http_proxy_override(o);
 #endif
 
+#ifdef ENABLE_CRYPTOAPI
+  if (o->cryptoapi_cert)
+    {
+      const int tls_version_max =
+	  (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) &
+	  SSLF_TLS_VERSION_MAX_MASK;
+
+      if (tls_version_max == TLS_VER_UNSPEC || tls_version_max > TLS_VER_1_1)
+	{
+	  msg(M_WARN, "Warning: cryptapicert used, setting maximum TLS "
+	      "version to 1.1.");
+	  o->ssl_flags &= ~(SSLF_TLS_VERSION_MAX_MASK <<
+	      SSLF_TLS_VERSION_MAX_SHIFT);
+	  o->ssl_flags |= (TLS_VER_1_1 << SSLF_TLS_VERSION_MAX_SHIFT);
+	}
+    }
+#endif /* ENABLE_CRYPTOAPI */
+
 #if P2MP
   /*
    * Save certain parms before modifying options via --pull