From f2b3dda12a731c2e0971cb7889728edaf23f6cb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Mon, 29 Nov 2021 20:46:00 +0100 Subject: New upstream version 2.5.4 --- src/openvpn/ssl_mbedtls.c | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) (limited to 'src/openvpn/ssl_mbedtls.c') diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 9c87478..0fe70e4 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -5,8 +5,8 @@ * packet encryption, packet authentication, and * packet compression. * - * Copyright (C) 2002-2018 OpenVPN Inc - * Copyright (C) 2010-2018 Fox Crypto B.V. + * Copyright (C) 2002-2021 OpenVPN Inc + * Copyright (C) 2010-2021 Fox Crypto B.V. * Copyright (C) 2006-2010, Brainspark B.V. * * This program is free software; you can redistribute it and/or modify @@ -1070,7 +1070,18 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, mbedtls_ssl_config_defaults(ks_ssl->ssl_config, ssl_ctx->endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); #ifdef MBEDTLS_DEBUG_C - mbedtls_debug_set_threshold(3); + /* We only want to have mbed TLS generate debug level logging when we would + * also display it. + * In fact mbed TLS 2.25.0 crashes generating debug log if Curve25591 is + * selected for DH (https://github.com/ARMmbed/mbedtls/issues/4208) */ + if (session->opt->ssl_flags & SSLF_TLS_DEBUG_ENABLED) + { + mbedtls_debug_set_threshold(3); + } + else + { + mbedtls_debug_set_threshold(2); + } #endif mbedtls_ssl_conf_dbg(ks_ssl->ssl_config, my_debug, NULL); mbedtls_ssl_conf_rng(ks_ssl->ssl_config, mbedtls_ctr_drbg_random, @@ -1088,6 +1099,13 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, mbedtls_ssl_conf_curves(ks_ssl->ssl_config, ssl_ctx->groups); } + /* Disable TLS renegotiations if the mbedtls library supports that feature. + * OpenVPN's renegotiation creates new SSL sessions and does not depend on + * this feature and TLS renegotiations have been problematic in the past. */ +#if defined(MBEDTLS_SSL_RENEGOTIATION) + mbedtls_ssl_conf_renegotiation(ks_ssl->ssl_config, MBEDTLS_SSL_RENEGOTIATION_DISABLED); +#endif /* MBEDTLS_SSL_RENEGOTIATION */ + /* Disable record splitting (for now). OpenVPN assumes records are sent * unfragmented, and changing that will require thorough review and * testing. Since OpenVPN is not susceptible to BEAST, we can just -- cgit v1.2.3