SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption".
This is something we do not want nor need, but could potentially be used
for a future attack. OpenVPN 2.4 requires the flag to be set and will fail
configure if the flag is not present.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAA1AbxJh17KYmVU1BVa5kp4iJsUJT+xnXp0rVU_3g3c5hPnqDQ@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8389
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -793,6 +793,21 @@ if test "${have_openssl_crypto}" = "yes"; then |
793 | 793 |
LIBS="${saved_LIBS}" |
794 | 794 |
fi |
795 | 795 |
|
796 |
+if test "${have_openssl_ssl}" = "yes"; then |
|
797 |
+ AC_MSG_CHECKING([for SSL_OP_NO_TICKET flag in OpenSSL]) |
|
798 |
+ AC_EGREP_CPP(have_ssl_op_no_ticket, [ |
|
799 |
+ #include <openssl/ssl.h> |
|
800 |
+ #ifdef SSL_OP_NO_TICKET |
|
801 |
+ have_ssl_op_no_ticket |
|
802 |
+ #endif |
|
803 |
+ ], [ |
|
804 |
+ AC_MSG_RESULT([yes]) |
|
805 |
+ ], [ |
|
806 |
+ AC_MSG_RESULT([no]) |
|
807 |
+ AC_ERROR([OpenVPN 2.4+ requires SSL_OP_NO_TICKET in OpenSSL]) |
|
808 |
+ ]) |
|
809 |
+fi |
|
810 |
+ |
|
796 | 811 |
AC_ARG_VAR([POLARSSL_CFLAGS], [C compiler flags for polarssl]) |
797 | 812 |
AC_ARG_VAR([POLARSSL_LIBS], [linker flags for polarssl]) |
798 | 813 |
have_polarssl_ssl="yes" |