From 740a5e8bac88e385961c7877a291f5b63a5de9bd Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Apr 20 2017 10:50:21 +0000 Subject: Testing enabling MD5 support for mbed TLS Resolves: rhbz#1443749 --- diff --git a/0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch b/0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch index 5b3f24c..497f0ec 100644 --- a/0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch +++ b/0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch @@ -1,4 +1,4 @@ -From 9e2c742b2d8ffc31db7590cfc4f29d2012dd8de1 Mon Sep 17 00:00:00 2001 +From bb1dd452d4b315f9dee533c9171974cab2565fbc Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Thu, 23 Mar 2017 01:34:06 +0100 Subject: [PATCH] workaround: Allow weaker RSA keys and MD algorithms in Fedora @@ -6,37 +6,44 @@ Subject: [PATCH] workaround: Allow weaker RSA keys and MD algorithms in Fedora This patch hard codes an alternative mbed TLS profile to allow RSA keys >= 1024 bits as well as SHA1 and RIPEMD160 hashing. +v2 - Added MD5 support as well plus aligned PK alg and curve + flags to what other implementations does. + Signed-off-by: David Sommerseth --- - src/openvpn/ssl_mbedtls.c | 23 +++++++++++++++++++++++ - 1 file changed, 23 insertions(+) + src/openvpn/ssl_mbedtls.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c -index ba8dadf..05f8a48 100644 +index ba8dadf..37fa021 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c -@@ -932,6 +932,29 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, +@@ -932,6 +932,33 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED); #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ + /* Fedora adoption - allow legacy certificates -+ * Taken from the OpenVPN 3 Core code base ++ * Taken from the OpenVPN 3 Core code base with ++ * the addition of adding MD5 support as well. + */ + const static mbedtls_x509_crt_profile crt_profile_legacy = { ++ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_MD5 ) | + MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) | + MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) | + MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) | + MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) | + MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) | + MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), -+ -1, /* Any PK alg */ -+ -1, /* Any curve */ ++ 0xFFFFFFF, /* Any PK alg */ ++ 0xFFFFFFF, /* Any curve */ + 1024, /* Minimum size for RSA keys */ + }; + mbedtls_ssl_conf_cert_profile(&ks_ssl->ssl_config, &crt_profile_legacy); + static bool fedora_mod_info = false; + if (!fedora_mod_info) { -+ msg(M_INFO, "[Fedora modification] Switched mbed TLS certificate profile to legacy mode"); ++ msg(M_INFO, "[Fedora modification] Switched mbed TLS certificate profile to legacy mode."); ++ msg(M_INFO, "[Fedora modification] Re-enabled MD5 certificate support. " ++ "If you depend on MD5 certificates *UPDATE ASAP* They are *INSECURE*."); + fedora_mod_info = true; + } + diff --git a/openvpn.spec b/openvpn.spec index 94c031e..5ba8f9a 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -7,7 +7,7 @@ Name: openvpn Version: 2.4.1 -Release: 3%{?prerelease:.%{prerelease}}%{?dist} +Release: 3_scratch1%{?prerelease:.%{prerelease}}%{?dist} Summary: A full-featured SSL VPN solution URL: https://community.openvpn.net/ Source0: https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz @@ -177,6 +177,9 @@ getent passwd openvpn &>/dev/null || \ %changelog +* Thu Apr 20 2017 David Sommerseth - 2.4.1-3_scratch1 +- Testing enabling MD5 certificate support (#1443749) + * Wed Mar 29 2017 David Sommerseth - 2.4.1-3 - Splitting out -devel files into a separate package - Removed several contrib and sample files which makes is not