summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
authorBernhard Schmidt <berni@debian.org>2020-04-21 16:56:12 +0200
committerBernhard Schmidt <berni@debian.org>2020-04-21 16:56:12 +0200
commit9df4f6e383b6ad4a63b4402a6f1f690b2bb654f2 (patch)
tree79fe30ceed91c27af3bef6bbf8d45a2f50d5a465 /debian
parentd5b951c541b8d9a4109bd301463da8271db4cf06 (diff)
Cherry-Pick upstream patch to fix ssl_do_config error with invalid OpenSSL system configuration
Closes: #958296
Diffstat (limited to 'debian')
-rw-r--r--debian/patches/fix-openssl-error.patch51
-rw-r--r--debian/patches/series1
2 files changed, 52 insertions, 0 deletions
diff --git a/debian/patches/fix-openssl-error.patch b/debian/patches/fix-openssl-error.patch
new file mode 100644
index 0000000..566d7e6
--- /dev/null
+++ b/debian/patches/fix-openssl-error.patch
@@ -0,0 +1,51 @@
+In the corner case that the global OpenSSL has an invalid command like
+
+ MinProtocol = TLSv1.0
+
+(Due to OpenSSL's idiosyncrasies MinProtocol = TLSv1 would be correct)
+
+the SSL_ctx_new function leaves the errors for parsing the config file
+on the stack.
+
+OpenSSL: error:14187180:SSL routines:ssl_do_config:bad value
+
+Since the later functions, especially the one of loading the
+certificates expected a clean error this error got reported at the
+wrong place.
+
+Print the warnings with crypto_msg when we detect that we are in this
+situation (this also clears the stack).
+---
+ src/openvpn/ssl_openssl.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
+index 5955c6bd..555cbbdf 100644
+--- a/src/openvpn/ssl_openssl.c
++++ b/src/openvpn/ssl_openssl.c
+@@ -115,6 +115,11 @@ tls_ctx_server_new(struct tls_root_ctx *ctx)
+ {
+ crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_server_method");
+ }
++ if (ERR_peek_error() != 0)
++ {
++ crypto_msg(M_WARN, "Warning: TLS server context initialisation "
++ "has warnings.");
++ }
+ }
+
+ void
+@@ -128,6 +133,11 @@ tls_ctx_client_new(struct tls_root_ctx *ctx)
+ {
+ crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_client_method");
+ }
++ if (ERR_peek_error() != 0)
++ {
++ crypto_msg(M_WARN, "Warning: TLS client context initialisation "
++ "has warnings.");
++ }
+ }
+
+ void
+--
+2.26.0
diff --git a/debian/patches/series b/debian/patches/series
index a903d3d..6ef394c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@ kfreebsd_support.patch
match-manpage-and-command-help.patch
spelling_errors.patch
systemd.patch
+fix-openssl-error.patch