Add reporting of IV_SSL_VER

This information is only send if push-peer-info is enabled. It is meant to have an easy way for centrally adminstrated to spot clients using outdated SSL libraries.
2024-09-20 12:12:15 +02:00 · 2019-08-22 14:08:43 +02:00 · 2019-08-22 14:08:43 +02:00 · 23959fa705
commit 23959fa705
parent 63ab5b5e46
4 changed files with 25 additions and 1 deletions
--- a/openvpn/client/cliopt.hpp
+++ b/openvpn/client/cliopt.hpp
@ -548,6 +548,7 @@ namespace openvpn {
 	  std::string hwaddr = get_hwaddr();
 	  if (!hwaddr.empty())
 	    pi->emplace_back("IV_HWADDR", hwaddr);
+	  pi->emplace_back ("IV_SSL", get_ssl_library_version());
 	}

      return pi;
--- a/openvpn/mbedtls/ssl/sslctx.hpp
+++ b/openvpn/mbedtls/ssl/sslctx.hpp
@ -1461,6 +1461,16 @@ namespace openvpn {
    }
  };

+  inline const std::string get_ssl_library_version()
+  {
+    unsigned int ver = mbedtls_version_get_number();
+    std::string version = "mbed TLS " +
+			  std::to_string((ver>>24)&0xff) +
+			  "." + std::to_string((ver>>16)&0xff) +
+			  "." + std::to_string((ver>>8)&0xff);
+
+    return version;
+  }
 } // namespace openvpn

 #endif
--- a/openvpn/openssl/ssl/sslctx.hpp
+++ b/openvpn/openssl/ssl/sslctx.hpp
@ -2132,6 +2132,10 @@ namespace openvpn {
  SSL_METHOD OpenSSLContext::SSL::ssl23_method_client_;
  SSL_METHOD OpenSSLContext::SSL::ssl23_method_server_;
 #endif
-}

+  inline const std::string get_ssl_library_version()
+  {
+    return OpenSSL_version(OPENSSL_VERSION);
+  }
+}
 #endif
--- a/openvpn/ssl/sslapi.hpp
+++ b/openvpn/ssl/sslapi.hpp
@ -188,6 +188,15 @@ namespace openvpn {

    virtual SSLFactoryAPI::Ptr new_factory() = 0;
  };
+
+  /**
+   * Reports a human readable string of the SSL library in use and its version.
+   * E.g. mbed TLS 1.2.4
+   *
+   * @return a human readable SSL library version string
+   */
+  inline const std::string get_ssl_library_version();
+
 }

 #endif