From 77f8a56a1acc1d5e7f042c9bc393e83541155483 Mon Sep 17 00:00:00 2001 From: Steffan Karger Date: Sun, 28 Dec 2014 11:25:13 +0100 Subject: Set tls-version-max to 1.1 if cryptoapicert is used OpenVPN's current cryptoapicert implementation does not support TLS 1.2 (and newer). Fixing this requires a rewrite of our cryptoapi code to use Microsofts' "Cryptography API: Next Generation", and several hacks to work around that API. As long as we don't fix that, make openvpn automatically cap the TLS version to 1.1 when using cryptoapi (and tell the user we're doing so). This enables the user to use cryptoapi + TLS version negotiation (upto TLS 1.1) without having to change his configuration. This patch has been tested on Windows 8.1 for both the master and release/2.3 branches. Signed-off-by: Steffan Karger Acked-by: Gert Doering Message-Id: <1419762313-31233-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9361 Signed-off-by: Gert Doering (cherry picked from commit 04dcb96cc1f525afee3f830248ecaa22d1b4a4c2) --- src/openvpn/options.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'src/openvpn/options.c') diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f6e41a9..dd79da4 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2553,6 +2553,24 @@ options_postprocess_mutate (struct options *o) else options_postprocess_mutate_ce (o, &o->ce); +#ifdef ENABLE_CRYPTOAPI + if (o->cryptoapi_cert) + { + const int tls_version_max = + (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & + SSLF_TLS_VERSION_MAX_MASK; + + if (tls_version_max == TLS_VER_UNSPEC || tls_version_max > TLS_VER_1_1) + { + msg(M_WARN, "Warning: cryptapicert used, setting maximum TLS " + "version to 1.1."); + o->ssl_flags &= ~(SSLF_TLS_VERSION_MAX_MASK << + SSLF_TLS_VERSION_MAX_SHIFT); + o->ssl_flags |= (TLS_VER_1_1 << SSLF_TLS_VERSION_MAX_SHIFT); + } + } +#endif /* ENABLE_CRYPTOAPI */ + #if P2MP /* * Save certain parms before modifying options via --pull -- cgit