Browse code
configure.ac: check for SSL_OP_NO_TICKET flag in OpenSSL
SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption".
This is something we do not want nor need, but could potentially be used
for a future attack. OpenVPN 2.4 requires the flag to be set and will fail
configure if the flag is not present.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAA1AbxJh17KYmVU1BVa5kp4iJsUJT+xnXp0rVU_3g3c5hPnqDQ@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8389
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger authored on 2014/03/23 22:07:47Showing 1 changed files
| ... | ... |
@@ -793,6 +793,21 @@ if test "${have_openssl_crypto}" = "yes"; then
|
| 793 | 793 |
LIBS="${saved_LIBS}"
|
| 794 | 794 |
fi |
| 795 | 795 |
|
| 796 |
+if test "${have_openssl_ssl}" = "yes"; then
|
|
| 797 |
+ AC_MSG_CHECKING([for SSL_OP_NO_TICKET flag in OpenSSL]) |
|
| 798 |
+ AC_EGREP_CPP(have_ssl_op_no_ticket, [ |
|
| 799 |
+ #include <openssl/ssl.h> |
|
| 800 |
+ #ifdef SSL_OP_NO_TICKET |
|
| 801 |
+ have_ssl_op_no_ticket |
|
| 802 |
+ #endif |
|
| 803 |
+ ], [ |
|
| 804 |
+ AC_MSG_RESULT([yes]) |
|
| 805 |
+ ], [ |
|
| 806 |
+ AC_MSG_RESULT([no]) |
|
| 807 |
+ AC_ERROR([OpenVPN 2.4+ requires SSL_OP_NO_TICKET in OpenSSL]) |
|
| 808 |
+ ]) |
|
| 809 |
+fi |
|
| 810 |
+ |
|
| 796 | 811 |
AC_ARG_VAR([POLARSSL_CFLAGS], [C compiler flags for polarssl]) |
| 797 | 812 |
AC_ARG_VAR([POLARSSL_LIBS], [linker flags for polarssl]) |
| 798 | 813 |
have_polarssl_ssl="yes" |