Opened 2 years ago
Closed 2 years ago
#1460 closed Bug / Defect (fixed)
Bug in openssl3 provider support
| Reported by: | baentsch | Owned by: | Selva Nair |
|---|---|---|---|
| Priority: | major | Milestone: | release 2.6 |
| Component: | Crypto | Version: | |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: | plaisthos |
Description
The use of the function "SSL_CTX_set1_groups" in the implementation of https://github.com/OpenVPN/openvpn/blob/2612125d7cf5e3c8687a3fab8fba61670ac12f35/src/openvpn/ssl_openssl.c#L572 does not adhere to/is not permitted in the presence of OpenSSL3 providers as per the OpenSSL documentation (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html): "A number of these functions identify groups via a unique integer NID value. However, support for some groups may be added by external providers. In this case there will be no NID assigned for the group. When setting such groups applications should use the "list" form of these functions (i.e. SSL_CTX_set1_groups_list() and SSL_set1_groups_list)."
The concrete use case: TLS1.3 group names of quantum-safe KEM algorithms are rejected by this OpenVPN function even though they are perfectly valid and implemented in the [oqsprovider](https://github.com/open-quantum-safe/oqs-provider)
Change History (3)
comment:1 Changed 2 years ago by
| Cc: | plaisthos added |
|---|---|
| Owner: | changed from Steffan Karger to Selva Nair |
| Status: | new → assigned |
comment:2 Changed 2 years ago by
| Milestone: | → release 2.6 |
|---|
comment:3 Changed 2 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Yes. Fixed by the submitter of the bug himself: https://github.com/openvpn/openvpn/commit/711a4044a095e83bb70f4620310d385d6f5c7282
I seem to remember this was also discussed somewhere else. Has this been resolved?