summaryrefslogtreecommitdiff
path: root/debian/patches/fix-openssl-error.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/fix-openssl-error.patch')
-rw-r--r--debian/patches/fix-openssl-error.patch51
1 files changed, 51 insertions, 0 deletions
diff --git a/debian/patches/fix-openssl-error.patch b/debian/patches/fix-openssl-error.patch
new file mode 100644
index 0000000..566d7e6
--- /dev/null
+++ b/debian/patches/fix-openssl-error.patch
@@ -0,0 +1,51 @@
+In the corner case that the global OpenSSL has an invalid command like
+
+ MinProtocol = TLSv1.0
+
+(Due to OpenSSL's idiosyncrasies MinProtocol = TLSv1 would be correct)
+
+the SSL_ctx_new function leaves the errors for parsing the config file
+on the stack.
+
+OpenSSL: error:14187180:SSL routines:ssl_do_config:bad value
+
+Since the later functions, especially the one of loading the
+certificates expected a clean error this error got reported at the
+wrong place.
+
+Print the warnings with crypto_msg when we detect that we are in this
+situation (this also clears the stack).
+---
+ src/openvpn/ssl_openssl.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
+index 5955c6bd..555cbbdf 100644
+--- a/src/openvpn/ssl_openssl.c
++++ b/src/openvpn/ssl_openssl.c
+@@ -115,6 +115,11 @@ tls_ctx_server_new(struct tls_root_ctx *ctx)
+ {
+ crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_server_method");
+ }
++ if (ERR_peek_error() != 0)
++ {
++ crypto_msg(M_WARN, "Warning: TLS server context initialisation "
++ "has warnings.");
++ }
+ }
+
+ void
+@@ -128,6 +133,11 @@ tls_ctx_client_new(struct tls_root_ctx *ctx)
+ {
+ crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_client_method");
+ }
++ if (ERR_peek_error() != 0)
++ {
++ crypto_msg(M_WARN, "Warning: TLS client context initialisation "
++ "has warnings.");
++ }
+ }
+
+ void
+--
+2.26.0