schwabe/0001-Use-PROFILE-SYSTEM-instead-of-DEFAULT-for-ssl-cipher.patch

## 0001-Use-PROFILE-SYSTEM-instead-of-DEFAULT-for-ssl-cipher.patch
From 171e43142c82b6f0bf2cd5e4ce9265bb95527579 Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Wed, 19 Feb 2020 14:16:10 +0100
Subject: [PATCH] Use PROFILE=SYSTEM instead of DEFAULT for ssl ciphers on
 RHEL/Fedora

There is a Redhat/Fedora policy that you should not use "DEFAULT" and
SSL_CTX_set_cipher_list as that overrides the system wide policies.

Dropping this call however on Fedora/Redhat would weaken our security
as we would then allow cipher suites which do not have forward secrecy
The acceptable workaround is to use "PROFILE=SYSTEM" instead of "DEFAULT"

Use the macro SSL_SYSTEM_DEFAULT_CIPHER_LIST defined by those operating
systems to use PROFILE=SYSTEM.
---
 openvpn/openssl/ssl/sslctx.hpp | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/openvpn/openssl/ssl/sslctx.hpp b/openvpn/openssl/ssl/sslctx.hpp
index 05f8db8b..d4e3e9fd 100644
--- a/openvpn/openssl/ssl/sslctx.hpp
+++ b/openvpn/openssl/ssl/sslctx.hpp
@@ -1096,9 +1096,26 @@ namespace openvpn {
 	    }
 	  else
 	    {
+		/*
+		 * There is a Redhat/Fedora policy that you should not use "DEFAULT" and
+		 * SSL_CTX_set_cipher_list as that overrides the system wide policies.
+		 *
+		 * Dropping this call however on Fedora/Redhat would weaken our security
+		 * as we would then allow cipher suites which do not have forward secrecy
+		 * The acceptable workaround is to use "PROFILE=SYSTEM" instead of "DEFAULT"
+		 *
+		 * Use the macro SSL_SYSTEM_DEFAULT_CIPHER_LIST defined by those operating
+		 * systems to use PROFILE=SYSTEM.
+		 */
+#if defined(SSL_SYSTEM_DEFAULT_CIPHER_LIST)
+#define OSSL_DEFAULT	SSL_SYSTEM_DEFAULT_CIPHER_LIST
+#else
+#define OSSL_DEFAULT 	"DEFAULT"
+#endif
+
 	      if (!SSL_CTX_set_cipher_list(ctx,
 					   /* default list as a basis */
-					   "DEFAULT"
+					   OSSL_DEFAULT
 					   /* Disable export ciphers, low and medium */
 					   ":!EXP:!LOW:!MEDIUM"
 					   /* Disable static (EC)DH keys (no forward secrecy) */
@@ -1115,6 +1132,7 @@ namespace openvpn {
 					   ":!SSLv2"
 					   ))
 		  OPENVPN_THROW(ssl_context_error, "OpenSSLContext: SSL_CTX_set_cipher_list failed");
+#undef OSSL_DEFAULT
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L && OPENSSL_VERSION_NUMBER < 0x10100000L
 	      SSL_CTX_set_ecdh_auto(ctx, 1); // this method becomes a no-op in OpenSSL 1.1
 #endif
--
2.25.0
	From 171e43142c82b6f0bf2cd5e4ce9265bb95527579 Mon Sep 17 00:00:00 2001
	From: Arne Schwabe <arne@rfc2549.org>
	Date: Wed, 19 Feb 2020 14:16:10 +0100
	Subject: [PATCH] Use PROFILE=SYSTEM instead of DEFAULT for ssl ciphers on
	RHEL/Fedora

	There is a Redhat/Fedora policy that you should not use "DEFAULT" and
	SSL_CTX_set_cipher_list as that overrides the system wide policies.

	Dropping this call however on Fedora/Redhat would weaken our security
	as we would then allow cipher suites which do not have forward secrecy
	The acceptable workaround is to use "PROFILE=SYSTEM" instead of "DEFAULT"

	Use the macro SSL_SYSTEM_DEFAULT_CIPHER_LIST defined by those operating
	systems to use PROFILE=SYSTEM.
	---
	openvpn/openssl/ssl/sslctx.hpp \| 20 +++++++++++++++++++-
	1 file changed, 19 insertions(+), 1 deletion(-)

	diff --git a/openvpn/openssl/ssl/sslctx.hpp b/openvpn/openssl/ssl/sslctx.hpp
	index 05f8db8b..d4e3e9fd 100644
	--- a/openvpn/openssl/ssl/sslctx.hpp
	+++ b/openvpn/openssl/ssl/sslctx.hpp
	@@ -1096,9 +1096,26 @@ namespace openvpn {
	}
	else
	{
	+ /*
	+ * There is a Redhat/Fedora policy that you should not use "DEFAULT" and
	+ * SSL_CTX_set_cipher_list as that overrides the system wide policies.
	+ *
	+ * Dropping this call however on Fedora/Redhat would weaken our security
	+ * as we would then allow cipher suites which do not have forward secrecy
	+ * The acceptable workaround is to use "PROFILE=SYSTEM" instead of "DEFAULT"
	+ *
	+ * Use the macro SSL_SYSTEM_DEFAULT_CIPHER_LIST defined by those operating
	+ * systems to use PROFILE=SYSTEM.
	+ */
	+#if defined(SSL_SYSTEM_DEFAULT_CIPHER_LIST)
	+#define OSSL_DEFAULT SSL_SYSTEM_DEFAULT_CIPHER_LIST
	+#else
	+#define OSSL_DEFAULT "DEFAULT"
	+#endif
	+
	if (!SSL_CTX_set_cipher_list(ctx,
	/* default list as a basis */
	- "DEFAULT"
	+ OSSL_DEFAULT
	/* Disable export ciphers, low and medium */
	":!EXP:!LOW:!MEDIUM"
	/* Disable static (EC)DH keys (no forward secrecy) */
	@@ -1115,6 +1132,7 @@ namespace openvpn {
	":!SSLv2"
	))
	OPENVPN_THROW(ssl_context_error, "OpenSSLContext: SSL_CTX_set_cipher_list failed");
	+#undef OSSL_DEFAULT
	#if OPENSSL_VERSION_NUMBER >= 0x10002000L && OPENSSL_VERSION_NUMBER < 0x10100000L
	SSL_CTX_set_ecdh_auto(ctx, 1); // this method becomes a no-op in OpenSSL 1.1
	#endif
	--
	2.25.0