mirror of
https://github.com/schwabe/ics-openvpn.git
synced 2024-09-19 19:42:29 +02:00
Implement tls-cert-profile in profile and parser
This commit is contained in:
parent
9ca366fb2d
commit
90ba71780c
@ -91,7 +91,7 @@ if (NOT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} MATCHES "build/intermediates/cmake/.*s
|
||||
-DNO_ROUTE_EXCLUDE_EMULATION
|
||||
-DOPENVPN_SHOW_SESSION_TOKEN
|
||||
-DOPENSSL_API_COMPAT=0x10200000L
|
||||
|
||||
-DOPENVPN_ALLOW_INSECURE_CERTPROFILE
|
||||
)
|
||||
else ()
|
||||
message("Not budiling OpenVPN for output dir ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}")
|
||||
|
@ -1 +1 @@
|
||||
Subproject commit 6857da80d8ac395e457df4f8ea5d7d9260137a0e
|
||||
Subproject commit 5800c9b4ee989e4b27428669af0a36353d377612
|
@ -1 +1 @@
|
||||
Subproject commit dfa16e552e3dca8aa11766a5db0c097060c8a7d3
|
||||
Subproject commit d5c5efaf01aaf5317de4900a78558ca53761bbfb
|
@ -385,6 +385,9 @@ public class VpnProfile implements Serializable, Cloneable {
|
||||
|
||||
if (mUseLegacyProvider)
|
||||
cfg.append("provider legacy:default\n");
|
||||
|
||||
if (!TextUtils.isEmpty(mTlSCertProfile))
|
||||
cfg.append(String.format("tls-cert-profile %s\n", mTlSCertProfile));
|
||||
} else {
|
||||
cfg.append("# Config for OpenVPN 3 C++\n");
|
||||
}
|
||||
|
@ -546,6 +546,21 @@ public class ConfigParser {
|
||||
{
|
||||
np.mDataCiphers = ncp_ciphers.get(1);
|
||||
}
|
||||
Vector<String> tls_cert_profile = getOption("tls-cert-profile", 1, 1);
|
||||
if (tls_cert_profile != null)
|
||||
{
|
||||
String profile = tls_cert_profile.get(1);
|
||||
for (String choice : new String[]{"insecure", "preferred", "legacy", "suiteb"}) {
|
||||
if (choice.equals(profile)) {
|
||||
np.mTlSCertProfile = profile;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!profile.equals(np.mTlSCertProfile))
|
||||
{
|
||||
throw new ConfigParseError("Invalid tls-cert-profile '" + profile + "'");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Vector<String> compatmode = getOption("compat-mode", 1, 1);
|
||||
|
@ -442,9 +442,7 @@
|
||||
MD5. Additionally with the OpenSSL 3.0 signatures with SHA1 are also rejected.</p><p>
|
||||
You should update the VPN certificates as soon as possible as SHA1 will also no longer work on other platforms in the
|
||||
near future.</p>
|
||||
<p>If you really want to use old and broken certificates use the custom
|
||||
configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your
|
||||
imported configuration</p>
|
||||
<p>If you really want to use old and broken certificates select "insecure" for the TLS security profile under Authentication/Encryption of the profile</p>
|
||||
</string>
|
||||
<string name="volume_byte">%.0f B</string>
|
||||
<string name="volume_kbyte">%.1f kB</string>
|
||||
@ -499,7 +497,7 @@
|
||||
<string name="check_peer_fingerprint">Check peer certificate fingerprint</string>
|
||||
<string name="fingerprint">(Enter the SHA256 fingerprint of the server certificate(s))</string>
|
||||
<string name="proxy_info">HTTP Proxy: %1$s %2$d</string>
|
||||
<string name="use_alwayson_vpn">Please you the Always-On Feature of Android to enable VPN at boot time.</string>
|
||||
<string name="use_alwayson_vpn">Please use the Always-On Feature of Android to enable VPN at boot time.</string>
|
||||
<string name="open_vpn_settings">Open VPN Settings</string>
|
||||
<string name="trigger_pending_auth_dialog">Press here open a window to enter additional required authentication</string>
|
||||
<string name="compatmode">Compatibility Mode</string>
|
||||
|
@ -3,6 +3,7 @@ package de.blinkt.openvpn.core;
|
||||
import android.annotation.SuppressLint;
|
||||
import android.content.Context;
|
||||
import android.provider.Settings;
|
||||
import android.text.TextUtils;
|
||||
|
||||
import net.openvpn.ovpn3.ClientAPI_Config;
|
||||
import net.openvpn.ovpn3.ClientAPI_EvalConfig;
|
||||
@ -183,6 +184,8 @@ public class OpenVPNThreadv3 extends ClientAPI_OpenVPNClient implements Runnable
|
||||
boolean retryOnAuthFailed = mVp.mAuthRetry == AUTH_RETRY_NOINTERACT;
|
||||
config.setRetryOnAuthFailed(retryOnAuthFailed);
|
||||
config.setEnableLegacyAlgorithms(mVp.mUseLegacyProvider);
|
||||
if (!TextUtils.isEmpty(mVp.mTlSCertProfile))
|
||||
config.setTlsCertProfileOverride(mVp.mTlSCertProfile);
|
||||
|
||||
ClientAPI_EvalConfig ec = eval_config(config);
|
||||
if (ec.getExternalPki()) {
|
||||
|
@ -302,6 +302,9 @@ object Utils {
|
||||
if (vp.mCompatMode > 0 )
|
||||
warnings.add("compat mode enabled")
|
||||
|
||||
if ("insecure".equals(vp.mTlSCertProfile))
|
||||
warnings.add("low security (TLS security profile 'insecure' selected)");
|
||||
|
||||
var cipher= vp.mCipher.toUpperCase(Locale.ROOT)
|
||||
if (cipher.isNullOrEmpty())
|
||||
cipher = "BF-CBC";
|
||||
|
Loading…
Reference in New Issue
Block a user