[source] mbedtls: Re-allow SHA1-signed certificates
LEDE Commits
lede-commits at lists.infradead.org
Tue Aug 15 09:17:05 PDT 2017
hauke pushed a commit to source.git, branch lede-17.01:
https://git.lede-project.org/3e35eb13ada3b87e87cd108f9d459b9484446e9c
commit 3e35eb13ada3b87e87cd108f9d459b9484446e9c
Author: Baptiste Jonglez <git at bitsofnetworks.org>
AuthorDate: Sun Jul 30 17:57:37 2017 +0200
mbedtls: Re-allow SHA1-signed certificates
Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates.
This breaks openvpn clients that try to connect to servers that
present a TLS certificate signed with SHA1, which is fairly common.
Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx.
Fixes: FS#942
Signed-off-by: Baptiste Jonglez <git at bitsofnetworks.org>
---
package/libs/mbedtls/Makefile | 2 +-
package/libs/mbedtls/patches/200-config.patch | 9 +++++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile
index 4cceb74..101324d 100644
--- a/package/libs/mbedtls/Makefile
+++ b/package/libs/mbedtls/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=mbedtls
PKG_VERSION:=2.5.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_USE_MIPS16:=0
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
diff --git a/package/libs/mbedtls/patches/200-config.patch b/package/libs/mbedtls/patches/200-config.patch
index 39de3cc..fb5a74f 100644
--- a/package/libs/mbedtls/patches/200-config.patch
+++ b/package/libs/mbedtls/patches/200-config.patch
@@ -269,3 +269,12 @@
/* \} name SECTION: mbed TLS modules */
+@@ -2646,7 +2646,7 @@
+ * recommended because of it is possible to generte SHA-1 collisions, however
+ * this may be safe for legacy infrastructure where additional controls apply.
+ */
+-// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
++#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+
+ /**
+ * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
More information about the lede-commits
mailing list