mbedtls: Re-allow SHA1-signed certificates
authorBaptiste Jonglez <git@bitsofnetworks.org>
Sun, 30 Jul 2017 15:57:37 +0000 (17:57 +0200)
committerHauke Mehrtens <hauke@hauke-m.de>
Fri, 11 Aug 2017 18:45:28 +0000 (20:45 +0200)
Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates.
This breaks openvpn clients that try to connect to servers that
present a TLS certificate signed with SHA1, which is fairly common.

Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx.

Fixes: FS#942

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
package/libs/mbedtls/Makefile
package/libs/mbedtls/patches/200-config.patch

index 4cceb74..101324d 100644 (file)
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
 PKG_VERSION:=2.5.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
index 39de3cc..fb5a74f 100644 (file)
  
  /* \} name SECTION: mbed TLS modules */
  
+@@ -2646,7 +2646,7 @@
+  * recommended because of it is possible to generte SHA-1 collisions, however
+  * this may be safe for legacy infrastructure where additional controls apply.
+  */
+-// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
++#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+ /**
+  * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake