diff options
author | Bernhard Schmidt <berni@debian.org> | 2020-04-21 16:56:12 +0200 |
---|---|---|
committer | Bernhard Schmidt <berni@debian.org> | 2020-04-21 16:56:12 +0200 |
commit | 9df4f6e383b6ad4a63b4402a6f1f690b2bb654f2 (patch) | |
tree | 79fe30ceed91c27af3bef6bbf8d45a2f50d5a465 /debian | |
parent | d5b951c541b8d9a4109bd301463da8271db4cf06 (diff) |
Cherry-Pick upstream patch to fix ssl_do_config error with invalid OpenSSL system configuration
Closes: #958296
Diffstat (limited to 'debian')
-rw-r--r-- | debian/patches/fix-openssl-error.patch | 51 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 52 insertions, 0 deletions
diff --git a/debian/patches/fix-openssl-error.patch b/debian/patches/fix-openssl-error.patch new file mode 100644 index 0000000..566d7e6 --- /dev/null +++ b/debian/patches/fix-openssl-error.patch @@ -0,0 +1,51 @@ +In the corner case that the global OpenSSL has an invalid command like + + MinProtocol = TLSv1.0 + +(Due to OpenSSL's idiosyncrasies MinProtocol = TLSv1 would be correct) + +the SSL_ctx_new function leaves the errors for parsing the config file +on the stack. + +OpenSSL: error:14187180:SSL routines:ssl_do_config:bad value + +Since the later functions, especially the one of loading the +certificates expected a clean error this error got reported at the +wrong place. + +Print the warnings with crypto_msg when we detect that we are in this +situation (this also clears the stack). +--- + src/openvpn/ssl_openssl.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c +index 5955c6bd..555cbbdf 100644 +--- a/src/openvpn/ssl_openssl.c ++++ b/src/openvpn/ssl_openssl.c +@@ -115,6 +115,11 @@ tls_ctx_server_new(struct tls_root_ctx *ctx) + { + crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_server_method"); + } ++ if (ERR_peek_error() != 0) ++ { ++ crypto_msg(M_WARN, "Warning: TLS server context initialisation " ++ "has warnings."); ++ } + } + + void +@@ -128,6 +133,11 @@ tls_ctx_client_new(struct tls_root_ctx *ctx) + { + crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_client_method"); + } ++ if (ERR_peek_error() != 0) ++ { ++ crypto_msg(M_WARN, "Warning: TLS client context initialisation " ++ "has warnings."); ++ } + } + + void +-- +2.26.0 diff --git a/debian/patches/series b/debian/patches/series index a903d3d..6ef394c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,4 @@ kfreebsd_support.patch match-manpage-and-command-help.patch spelling_errors.patch systemd.patch +fix-openssl-error.patch |