Hi, I'm running rpmlint against packages built based on the Fedora Copr [1] build I've provided for some time. I'm planning to move this forward for the standard Fedora and EPEL repositories. But rpmlint complains about the usage of SSL_CTX_set_cipher_list(), which I in this case would call a false-positive for OpenVPN. [1] <https://copr.fedorainfracloud.org/coprs/dsommers/openvpn3/> <https://gitlab.com/dazo/copr-openvpn3> The code which trips this warning is: ------------------------------------------------------------------------------- if (config->force_aes_cbc_ciphersuites) { if (!SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA")) OPENVPN_THROW(ssl_context_error, "OpenSSLContext: SSL_CTX_set_cipher_list failed for force_aes_cbc_ciphersuites"); } else { if (!SSL_CTX_set_cipher_list(ctx, /* default list as a basis */ "DEFAULT" /* Disable export ciphers, low and medium */ ":!EXP:!LOW:!MEDIUM" /* Disable static (EC)DH keys (no forward secrecy) */ ":!kDH:!kECDH" /* Disable DSA private keys */ ":!DSS" /* Disable RC4 cipher */ ":!RC4" /* Disable MD5 */ ":!MD5" /* Disable unsupported TLS modes */ ":!PSK:!SRP:!kRSA" /* Disable SSLv2 cipher suites*/ ":!SSLv2" )) OPENVPN_THROW(ssl_context_error, "OpenSSLContext: SSL_CTX_set_cipher_list failed"); #if OPENSSL_VERSION_NUMBER >= 0x10002000L && OPENSSL_VERSION_NUMBER < 0x10100000L SSL_CTX_set_ecdh_auto(ctx, 1); // this method becomes a no-op in OpenSSL 1.1 #endif } ------------------------------------------------------------------------------- These calls can be found in openvpn/openssl/ssl/sslctx.hpp <https://github.com/OpenVPN/openvpn3/blob/b62654274fd938ebb82dbe3a2e78d9b8fd465970/openvpn/openssl/ssl/sslctx.hpp#L1094> The first SSL_CTX_set_cipher_list() is being slate for removal, as the "force_aes_cbc_ciphersuits" feature is not considered needed any more; negotiation works much better nowadays than when this was added about 5 years ago. But the cipher-list here shouldn't be of that much concern. The second block should really be fine too, it just strictly enforces a fairly strict default set of ciphers. So my question is if this will be a show-stopper for getting the openvpn3 package into the standard Fedora + EPEL repositories? -- kind regards, David Sommerseth OpenVPN Inc _______________________________________________ security mailing list -- security@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to security-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/security@xxxxxxxxxxxxxxxxxxxxxxx
