[LEDE-DEV] [PATCH] mbedtls: Re-allow SHA1-signed certificates
Baptiste Jonglez
baptiste at bitsofnetworks.org
Sun Jul 30 09:00:48 PDT 2017
On Sun, Jul 30, 2017 at 05:57:37PM +0200, Baptiste Jonglez wrote:
> Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates.
> This breaks openvpn clients that try to connect to servers that
> present a TLS certificate signed with SHA1, which is fairly common.
>
> Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx.
>
> Fixes: FS#942
This can be cherry-picked cleanly on the lede-17.01 branch. I think it
should be done, because the update to 2.5.1 broke a working use-case.
> Signed-off-by: Baptiste Jonglez <git at bitsofnetworks.org>
> ---
> package/libs/mbedtls/Makefile | 2 +-
> package/libs/mbedtls/patches/200-config.patch | 9 +++++++++
> 2 files changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile
> index 4cceb743d5..101324de07 100644
> --- a/package/libs/mbedtls/Makefile
> +++ b/package/libs/mbedtls/Makefile
> @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
>
> PKG_NAME:=mbedtls
> PKG_VERSION:=2.5.1
> -PKG_RELEASE:=1
> +PKG_RELEASE:=2
> PKG_USE_MIPS16:=0
>
> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
> diff --git a/package/libs/mbedtls/patches/200-config.patch b/package/libs/mbedtls/patches/200-config.patch
> index 39de3cc1ec..fb5a74fc65 100644
> --- a/package/libs/mbedtls/patches/200-config.patch
> +++ b/package/libs/mbedtls/patches/200-config.patch
> @@ -269,3 +269,12 @@
>
> /* \} name SECTION: mbed TLS modules */
>
> +@@ -2646,7 +2646,7 @@
> + * recommended because of it is possible to generte SHA-1 collisions, however
> + * this may be safe for legacy infrastructure where additional controls apply.
> + */
> +-// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
> ++#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
> +
> + /**
> + * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/lede-dev/attachments/20170730/1e3edc6f/attachment.sig>
More information about the Lede-dev
mailing list