On Tue, 2020-02-18 at 21:16 +0100, David Sommerseth wrote: > Hi, > > I'm running rpmlint against packages built based on the Fedora Copr > [1] build > I've provided for some time. I'm planning to move this forward for > the standard > Fedora and EPEL repositories. But rpmlint complains about the usage > of > SSL_CTX_set_cipher_list(), which I in this case would call a false- > positive > for OpenVPN. > > [1] <https://copr.fedorainfracloud.org/coprs/dsommers/openvpn3/> > <https://gitlab.com/dazo/copr-openvpn3> > > The code which trips this warning is: > > ------------------------------------------------------------------- > ------------ > if (config->force_aes_cbc_ciphersuites) > { > if (!SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256- > SHA:DHE-RSA-AES128-SHA")) > OPENVPN_THROW(ssl_context_error, "OpenSSLContext: > SSL_CTX_set_cipher_list failed for force_aes_cbc_ciphersuites"); > } > else > { > if (!SSL_CTX_set_cipher_list(ctx, > /* default list as a basis > */ > "DEFAULT" > /* Disable export ciphers, > low and medium */ > ":!EXP:!LOW:!MEDIUM" > /* Disable static (EC)DH > keys (no forward secrecy) */ > ":!kDH:!kECDH" > /* Disable DSA private > keys */ > ":!DSS" > /* Disable RC4 cipher */ > ":!RC4" > /* Disable MD5 */ > ":!MD5" > /* Disable unsupported TLS > modes */ > ":!PSK:!SRP:!kRSA" > /* Disable SSLv2 cipher > suites*/ > ":!SSLv2" > )) > OPENVPN_THROW(ssl_context_error, "OpenSSLContext: > SSL_CTX_set_cipher_list failed"); > #if OPENSSL_VERSION_NUMBER >= 0x10002000L && OPENSSL_VERSION_NUMBER < > 0x10100000L > SSL_CTX_set_ecdh_auto(ctx, 1); // this method becomes a > no-op in OpenSSL 1.1 > #endif > } > ------------------------------------------------------------------- > ------------ > These calls can be found in openvpn/openssl/ssl/sslctx.hpp > < > https://github.com/OpenVPN/openvpn3/blob/b62654274fd938ebb82dbe3a2e78d9b8fd465970/openvpn/openssl/ssl/sslctx.hpp#L1094 > > > > The first SSL_CTX_set_cipher_list() is being slate for removal, as > the > "force_aes_cbc_ciphersuits" feature is not considered needed any > more; As this would be non-default setting, it would be fine anyway. > negotiation works much better nowadays than when this was added > about 5 years ago. But the cipher-list here shouldn't be of that > much > concern. > > The second block should really be fine too, it just strictly enforces > a fairly > strict default set of ciphers. No, the second call is not correct. Basically there should be no call to SSL_CTX_set_cipher_list() unless the user explicitly wants to override the defaults. The default in Fedora is already sane and safe and ensures the crypto policy is properly applied. > So my question is if this will be a show-stopper for getting the > openvpn3 > package into the standard Fedora + EPEL repositories? Please just patch out the second call. -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] _______________________________________________ security mailing list -- security@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to security-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/security@xxxxxxxxxxxxxxxxxxxxxxx
