|
@ -1,42 +0,0 @@ |
|
|
From e4bd17c86e01aaf6f809d9ea355419c86c4defdc Mon Sep 17 00:00:00 2001 |
|
|
|
|
|
From: Max Fillinger <maximilian.fillinger@foxcrypto.com> |
|
|
|
|
|
Date: Mon, 12 Apr 2021 19:46:17 +0200 |
|
|
|
|
|
Subject: [PATCH] Fix build with mbedtls w/o SSL renegotiation support |
|
|
|
|
|
|
|
|
|
|
|
In mbedtls, support for SSL renegotiation can be disabled at |
|
|
|
|
|
compile-time. However, OpenVPN cannot be built with such a library |
|
|
|
|
|
because it calls mbedtls_ssl_conf_renegotiation() to disable this |
|
|
|
|
|
feature at runtime. This function doesn't exist when mbedtls was built |
|
|
|
|
|
without support for SSL renegotiation. |
|
|
|
|
|
|
|
|
|
|
|
This commit fixes the build by ifdef'ing out the function call when |
|
|
|
|
|
mbedtls was built without support for SSL renegotiation. |
|
|
|
|
|
|
|
|
|
|
|
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> |
|
|
|
|
|
Acked-by: Antonio Quartulli <antonio@openvpn.net> |
|
|
|
|
|
Message-Id: <E1lW0eX-00012w-9n@sfs-ml-1.v29.lw.sourceforge.com> |
|
|
|
|
|
URL: https://www.mail-archive.com/search?l=mid&q=E1lW0eX-00012w-9n@sfs-ml-1.v29.lw.sourceforge.com |
|
|
|
|
|
Signed-off-by: Gert Doering <gert@greenie.muc.de> |
|
|
|
|
|
---
|
|
|
|
|
|
src/openvpn/ssl_mbedtls.c | 9 ++++++--- |
|
|
|
|
|
1 file changed, 6 insertions(+), 3 deletions(-) |
|
|
|
|
|
|
|
|
|
|
|
--- a/src/openvpn/ssl_mbedtls.c
|
|
|
|
|
|
+++ b/src/openvpn/ssl_mbedtls.c
|
|
|
|
|
|
@@ -1098,10 +1098,13 @@ key_state_ssl_init(struct key_state_ssl
|
|
|
|
|
|
{ |
|
|
|
|
|
mbedtls_ssl_conf_curves(ks_ssl->ssl_config, ssl_ctx->groups); |
|
|
|
|
|
} |
|
|
|
|
|
- /* Disable TLS renegotiations. OpenVPN's renegotiation creates new SSL
|
|
|
|
|
|
- * session and does not depend on this feature. And TLS renegotiations have
|
|
|
|
|
|
- * been problematic in the past */
|
|
|
|
|
|
+
|
|
|
|
|
|
+ /* Disable TLS renegotiations if the mbedtls library supports that feature.
|
|
|
|
|
|
+ * OpenVPN's renegotiation creates new SSL sessions and does not depend on
|
|
|
|
|
|
+ * this feature and TLS renegotiations have been problematic in the past. */
|
|
|
|
|
|
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
|
|
|
|
|
mbedtls_ssl_conf_renegotiation(ks_ssl->ssl_config, MBEDTLS_SSL_RENEGOTIATION_DISABLED); |
|
|
|
|
|
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
|
|
|
|
|
|
|
|
|
|
|
|
/* Disable record splitting (for now). OpenVPN assumes records are sent |
|
|
|
|
|
* unfragmented, and changing that will require thorough review and |
|
|
|