diff options
Diffstat (limited to 'debian/patches/fix-openssl-error.patch')
-rw-r--r-- | debian/patches/fix-openssl-error.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/debian/patches/fix-openssl-error.patch b/debian/patches/fix-openssl-error.patch new file mode 100644 index 0000000..db035ad --- /dev/null +++ b/debian/patches/fix-openssl-error.patch @@ -0,0 +1,49 @@ +In the corner case that the global OpenSSL has an invalid command like + + MinProtocol = TLSv1.0 + +(Due to OpenSSL's idiosyncrasies MinProtocol = TLSv1 would be correct) + +the SSL_ctx_new function leaves the errors for parsing the config file +on the stack. + +OpenSSL: error:14187180:SSL routines:ssl_do_config:bad value + +Since the later functions, especially the one of loading the +certificates expected a clean error this error got reported at the +wrong place. + +Print the warnings with crypto_msg when we detect that we are in this +situation (this also clears the stack). +--- + src/openvpn/ssl_openssl.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +Index: trunk/src/openvpn/ssl_openssl.c +=================================================================== +--- trunk.orig/src/openvpn/ssl_openssl.c ++++ trunk/src/openvpn/ssl_openssl.c +@@ -120,6 +120,11 @@ tls_ctx_server_new(struct tls_root_ctx * + crypto_msg(M_WARN, "Warning: TLS server context initialisation " + "has warnings."); + } ++ if (ERR_peek_error() != 0) ++ { ++ crypto_msg(M_WARN, "Warning: TLS server context initialisation " ++ "has warnings."); ++ } + } + + void +@@ -135,6 +140,11 @@ tls_ctx_client_new(struct tls_root_ctx * + } + if (ERR_peek_error() != 0) + { ++ crypto_msg(M_WARN, "Warning: TLS client context initialisation " ++ "has warnings."); ++ } ++ if (ERR_peek_error() != 0) ++ { + crypto_msg(M_WARN, "Warning: TLS client context initialisation " + "has warnings."); + } |