1 files changed, 49 insertions, 0 deletions

diff --git a/debian/patches/fix-openssl-error.patch b/debian/patches/fix-openssl-error.patch
new file mode 100644
index 0000000..db035ad
--- /dev/null
+++ b/debian/patches/fix-openssl-error.patch
@@ -0,0 +1,49 @@
+In the corner case that the global OpenSSL has an invalid command like
+
+	MinProtocol = TLSv1.0
+
+(Due to OpenSSL's idiosyncrasies MinProtocol = TLSv1 would be correct)
+
+the SSL_ctx_new function leaves the errors for parsing the config file
+on the stack.
+
+OpenSSL: error:14187180:SSL routines:ssl_do_config:bad value
+
+Since the later functions, especially the one of loading the
+certificates expected a clean error this error got reported at the
+wrong place.
+
+Print the warnings with crypto_msg when we detect that we are in this
+situation (this also clears the stack).
+---
+ src/openvpn/ssl_openssl.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+Index: trunk/src/openvpn/ssl_openssl.c
+===================================================================
+--- trunk.orig/src/openvpn/ssl_openssl.c
++++ trunk/src/openvpn/ssl_openssl.c
+@@ -120,6 +120,11 @@ tls_ctx_server_new(struct tls_root_ctx *
+         crypto_msg(M_WARN, "Warning: TLS server context initialisation "
+                    "has warnings.");
+     }
++    if (ERR_peek_error() != 0)
++    {
++        crypto_msg(M_WARN, "Warning: TLS server context initialisation "
++                   "has warnings.");
++    }
+ }
+ 
+ void
+@@ -135,6 +140,11 @@ tls_ctx_client_new(struct tls_root_ctx *
+     }
+     if (ERR_peek_error() != 0)
+     {
++        crypto_msg(M_WARN, "Warning: TLS client context initialisation "
++                   "has warnings.");
++    }
++    if (ERR_peek_error() != 0)
++    {
+         crypto_msg(M_WARN, "Warning: TLS client context initialisation "
+                    "has warnings.");
+     }