[LEDE-DEV] [PATCH] mbedtls: Re-allow SHA1-signed certificates

[Baptiste Jonglez]

On Sun, Jul 30, 2017 at 06:00:48PM +0200, Baptiste Jonglez wrote:
> On Sun, Jul 30, 2017 at 05:57:37PM +0200, Baptiste Jonglez wrote:
> > Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates.
> > This breaks openvpn clients that try to connect to servers that
> > present a TLS certificate signed with SHA1, which is fairly common.
> > 
> > Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx.
> > 
> > Fixes: FS#942
> 
> This can be cherry-picked cleanly on the lede-17.01 branch.  I think it
> should be done, because the update to 2.5.1 broke a working use-case.

See the discussion on Flyspray: https://bugs.lede-project.org/index.php?do=details&task_id=942

As a compromise between security and stability, it makes sense to merge
this to lede-17.01 only, and keep SHA1 disabled in master.

> > Signed-off-by: Baptiste Jonglez <git at bitsofnetworks.org>
> > ---
> >  package/libs/mbedtls/Makefile                 | 2 +-
> >  package/libs/mbedtls/patches/200-config.patch | 9 +++++++++
> >  2 files changed, 10 insertions(+), 1 deletion(-)
> > 
> > diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile
> > index 4cceb743d5..101324de07 100644
> > --- a/package/libs/mbedtls/Makefile
> > +++ b/package/libs/mbedtls/Makefile
> > @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
> >  
> >  PKG_NAME:=mbedtls
> >  PKG_VERSION:=2.5.1
> > -PKG_RELEASE:=1
> > +PKG_RELEASE:=2
> >  PKG_USE_MIPS16:=0
> >  
> >  PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
> > diff --git a/package/libs/mbedtls/patches/200-config.patch b/package/libs/mbedtls/patches/200-config.patch
> > index 39de3cc1ec..fb5a74fc65 100644
> > --- a/package/libs/mbedtls/patches/200-config.patch
> > +++ b/package/libs/mbedtls/patches/200-config.patch
> > @@ -269,3 +269,12 @@
> >   
> >   /* \} name SECTION: mbed TLS modules */
> >   
> > +@@ -2646,7 +2646,7 @@
> > +  * recommended because of it is possible to generte SHA-1 collisions, however
> > +  * this may be safe for legacy infrastructure where additional controls apply.
> > +  */
> > +-// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
> > ++#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
> > + 
> > + /**
> > +  * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake



> _______________________________________________
> Lede-dev mailing list
> Lede-dev at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/lede-dev/attachments/20170730/d0ab3a73/attachment.sig>