domenico/openwrt_NSS_ACW
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mbedtls: Re-allow SHA1-signed certificates

Browse Source 
Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates.
This breaks openvpn clients that try to connect to servers that
present a TLS certificate signed with SHA1, which is fairly common.

Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx.

Fixes: FS#942

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
This commit is contained in:
Baptiste Jonglez
2017-07-30 17:57:37 +02:00
committed by Hauke Mehrtens
parent ff414fb575
commit 3e35eb13ad
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
package/libs/mbedtls/Makefile
View File

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=mbedtls PKG_NAME:=mbedtls
PKG_VERSION:=2.5.1 PKG_VERSION:=2.5.1
PKG_RELEASE:=1 PKG_RELEASE:=2
PKG_USE_MIPS16:=0 PKG_USE_MIPS16:=0
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz

9
package/libs/mbedtls/patches/200-config.patch
View File

@@ -269,3 +269,12 @@
/* \} name SECTION: mbed TLS modules */ /* \} name SECTION: mbed TLS modules */
@@ -2646,7 +2646,7 @@
* recommended because of it is possible to generte SHA-1 collisions, however
* this may be safe for legacy infrastructure where additional controls apply.
*/
-// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
/**
* Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake