From 9df4f6e383b6ad4a63b4402a6f1f690b2bb654f2 Mon Sep 17 00:00:00 2001
From: Bernhard Schmidt <berni@debian.org>
Date: Tue, 21 Apr 2020 16:56:12 +0200
Subject: Cherry-Pick upstream patch to fix ssl_do_config error with invalid
 OpenSSL system configuration

Closes: #958296
---
 debian/patches/fix-openssl-error.patch | 51 ++++++++++++++++++++++++++++++++++
 debian/patches/series                  |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 debian/patches/fix-openssl-error.patch

diff --git a/debian/patches/fix-openssl-error.patch b/debian/patches/fix-openssl-error.patch
new file mode 100644
index 0000000..566d7e6
--- /dev/null
+++ b/debian/patches/fix-openssl-error.patch
@@ -0,0 +1,51 @@
+In the corner case that the global OpenSSL has an invalid command like
+
+	MinProtocol = TLSv1.0
+
+(Due to OpenSSL's idiosyncrasies MinProtocol = TLSv1 would be correct)
+
+the SSL_ctx_new function leaves the errors for parsing the config file
+on the stack.
+
+OpenSSL: error:14187180:SSL routines:ssl_do_config:bad value
+
+Since the later functions, especially the one of loading the
+certificates expected a clean error this error got reported at the
+wrong place.
+
+Print the warnings with crypto_msg when we detect that we are in this
+situation (this also clears the stack).
+---
+ src/openvpn/ssl_openssl.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
+index 5955c6bd..555cbbdf 100644
+--- a/src/openvpn/ssl_openssl.c
++++ b/src/openvpn/ssl_openssl.c
+@@ -115,6 +115,11 @@ tls_ctx_server_new(struct tls_root_ctx *ctx)
+     {
+         crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_server_method");
+     }
++    if (ERR_peek_error() != 0)
++    {
++        crypto_msg(M_WARN, "Warning: TLS server context initialisation "
++                   "has warnings.");
++    }
+ }
+ 
+ void
+@@ -128,6 +133,11 @@ tls_ctx_client_new(struct tls_root_ctx *ctx)
+     {
+         crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_client_method");
+     }
++    if (ERR_peek_error() != 0)
++    {
++        crypto_msg(M_WARN, "Warning: TLS client context initialisation "
++                   "has warnings.");
++    }
+ }
+ 
+ void
+-- 
+2.26.0
diff --git a/debian/patches/series b/debian/patches/series
index a903d3d..6ef394c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@ kfreebsd_support.patch
 match-manpage-and-command-help.patch
 spelling_errors.patch
 systemd.patch
+fix-openssl-error.patch
-- 
cgit v1.2.3