Skip to content

Instantly share code, notes, and snippets.

@h-yamamo
Created September 21, 2016 15:32
Show Gist options
  • Save h-yamamo/b732d808bec8f4f912d4abe7713a9a0d to your computer and use it in GitHub Desktop.
Save h-yamamo/b732d808bec8f4f912d4abe7713a9a0d to your computer and use it in GitHub Desktop.
Support TLS_ECDHE_* cipher suites for ubuntu xenial openvpn package
Support TLS_ECDHE_* ciphersuites
you can specify e.g. --tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
supported curve is only NIST P-256.
if you want to change the curve to P-384 or P-521
change NID_X9_62_prime256v1 to NID_secp384r1 or NID_secp521r1.
--- 2.3.10-1ubuntu2/src/openvpn/ssl_openssl.c 2016-01-04 12:17:32.000000000 +0000
+++ b/src/openvpn/ssl_openssl.c 2016-09-19 20:00:00.000000000 +0900
@@ -390,9 +390,22 @@
{
DH *dh;
BIO *bio;
+ EC_KEY *ec;
ASSERT(NULL != ctx);
+ ec = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
+ if (!ec)
+ msg (M_SSLERR, "unable to create curve (nistp256)");
+ else
+ {
+ if (!SSL_CTX_set_tmp_ecdh (ctx->ctx, ec))
+ msg (M_SSLERR, "SSL_CTX_set_tmp_ecdh");
+ else
+ msg (D_TLS_DEBUG_LOW, "Initialized ECDH parameters with nistp256");
+ EC_KEY_free (ec);
+ }
+
if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_file_inline)
{
if (!(bio = BIO_new_mem_buf ((char *)dh_file_inline, -1)))
@h-yamamo
Copy link
Author

How to build package:

apt-get -d source openvpn
tar xf openvpn_2.3.10.orig.tar.gz
cd openvpn-2.3.10
tar xf ../openvpn_2.3.10-1ubuntu2.debian.tar.xz
cp (somewhere)/ecdh.patch debian/patches/
echo ecdh.patch >> debian/patches/series
vi debian/changelog  # add description about TLS_ECDHE_* supported
debuild -uc -us

Tips:

  • tls-server must specify --dh file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment