Rename OPENVPN_USE_TLS_MD5 to OPENVPN_ALLOW_INSECURE_CERTPROFILE

With OpenSSL 3.0 the name with MD5 no longer makes sense as it affects not only MD5 but also SHA1 and number of other settings. So replace the define with a more fitting name. Signed-off-by: Arne Schwabe <arne@openvpn.net>
2024-09-19 19:52:15 +02:00 · 2021-10-13 15:30:11 +02:00 · 2021-10-13 15:30:11 +02:00 · 7897c3bd7e
commit 7897c3bd7e
parent 9ed6f69a3b
5 changed files with 10 additions and 10 deletions
--- a/javacli/build-android
+++ b/javacli/build-android
@ -75,7 +75,7 @@ $GPP_CMD \
    -DASIO_STANDALONE \
    -DASIO_NO_DEPRECATED \
    -DHAVE_LZ4 \
-    -DOPENVPN_USE_TLS_MD5 \
+    -DOPENVPN_ALLOW_INSECURE_CERTPROFILE \
    -DASIO_HAS_STD_STRING_VIEW \
    -I$O3/core/client \
    -I$O3/core \
--- a/openvpn/mbedtls/ssl/sslctx.hpp
+++ b/openvpn/mbedtls/ssl/sslctx.hpp
@ -138,7 +138,7 @@ namespace openvpn {
       * X509 cert profiles.
       */

-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
      // This profile includes the broken MD5 alrogithm.
      // We are going to ship support for this algorithm for a limited
      // amount of time to allow our users to switch to something else
@ -598,7 +598,7 @@ namespace openvpn {
      {
 	switch (TLSCertProfile::default_if_undef(tls_cert_profile))
 	  {
-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
 	  case TLSCertProfile::INSECURE:
 	    return &mbedtls_ctx_private::crt_profile_insecure;
 #endif
--- a/openvpn/openssl/ssl/sslctx.hpp
+++ b/openvpn/openssl/ssl/sslctx.hpp
@ -1314,7 +1314,7 @@ namespace openvpn {
 	    OPENVPN_THROW(ssl_context_error,
 			  "OpenSSLContext: undefined tls-cert-profile");
 	    break;
-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
 	  case TLSCertProfile::INSECURE:
 	    SSL_CTX_set_security_level(ctx, 0);
 	    break;
--- a/openvpn/ssl/tls_cert_profile.hpp
+++ b/openvpn/ssl/tls_cert_profile.hpp
@ -34,7 +34,7 @@ namespace openvpn {
  namespace TLSCertProfile {
    enum Type {
      UNDEF=0,
-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
      INSECURE,
 #endif
      LEGACY,
@ -56,7 +56,7 @@ namespace openvpn {
 	{
 	case UNDEF:
 	  return "UNDEF";
-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
 	case INSECURE:
 	  return "INSECURE";
 #endif
@ -73,7 +73,7 @@ namespace openvpn {

    inline Type parse_tls_cert_profile(const std::string& profile_name)
    {
-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
      if (profile_name == "insecure")
 	return INSECURE;
      else
@ -108,7 +108,7 @@ namespace openvpn {
      const Type orig = type;
      if (override.empty() || override == "default")
 	;
-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
      else if (override == "insecure-default")
        {
 	  if (orig == UNDEF)
@ -125,7 +125,7 @@ namespace openvpn {
 	  if (orig == UNDEF)
 	    type = PREFERRED;
 	}
-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
      else if (override == "insecure")
 	type = INSECURE;
 #endif
--- a/test/ovpncli/cli.cpp
+++ b/test/ovpncli/cli.cpp
@ -1302,7 +1302,7 @@ int openvpn_client(int argc, char *argv[], const std::string* profile_content)
      std::cout << "--tvm-override, -M    : tls-version-min override (disabled, default, tls_1_x)" << std::endl;
      std::cout << "--legacy-algorithms, -L: Enable legacy algorithm (OpenSSL legacy provider)" << std::endl;
      std::cout << "--tcprof-override, -X : tls-cert-profile override (" <<
-#ifdef OPENVPN_USE_TLS_MD5
+#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
          "insecure, " <<
 #endif
          "legacy, preferred, etc.)" << std::endl;