Opened 3 months ago

Closed 5 weeks ago

#1460 closed Bug / Defect (fixed)

Bug in openssl3 provider support

Reported by: baentsch Owned by: Selva Nair
Priority: major Milestone: release 2.6
Component: Crypto Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: plaisthos

Description

The use of the function "SSL_CTX_set1_groups" in the implementation of https://github.com/OpenVPN/openvpn/blob/2612125d7cf5e3c8687a3fab8fba61670ac12f35/src/openvpn/ssl_openssl.c#L572 does not adhere to/is not permitted in the presence of OpenSSL3 providers as per the OpenSSL documentation (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html): "A number of these functions identify groups via a unique integer NID value. However, support for some groups may be added by external providers. In this case there will be no NID assigned for the group. When setting such groups applications should use the "list" form of these functions (i.e. SSL_CTX_set1_groups_list() and SSL_set1_groups_list)."

The concrete use case: TLS1.3 group names of quantum-safe KEM algorithms are rejected by this OpenVPN function even though they are perfectly valid and implemented in the [oqsprovider](https://github.com/open-quantum-safe/oqs-provider)

Change History (3)

comment:1 Changed 5 weeks ago by Gert Döring

Cc: plaisthos added
Owner: changed from Steffan Karger to Selva Nair
Status: newassigned

I seem to remember this was also discussed somewhere else. Has this been resolved?

comment:2 Changed 5 weeks ago by Gert Döring

Milestone: release 2.6

comment:3 Changed 5 weeks ago by plaisthos

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.