diff options
| author | Baptiste Jonglez <git@bitsofnetworks.org> | 2017-07-30 17:57:37 +0200 |
|---|---|---|
| committer | Hauke Mehrtens <hauke@hauke-m.de> | 2017-08-11 20:45:28 +0200 |
| commit | 3e35eb13ada3b87e87cd108f9d459b9484446e9c (patch) | |
| tree | c330f5183115c887bab82d331819f399587fe7c7 /package/libs/mbedtls/patches | |
| parent | ff414fb575a43ada264186fe74e57fb605f20b7f (diff) | |
| download | upstream-3e35eb13ada3b87e87cd108f9d459b9484446e9c.tar.gz upstream-3e35eb13ada3b87e87cd108f9d459b9484446e9c.tar.bz2 upstream-3e35eb13ada3b87e87cd108f9d459b9484446e9c.zip | |
mbedtls: Re-allow SHA1-signed certificates
Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates.
This breaks openvpn clients that try to connect to servers that
present a TLS certificate signed with SHA1, which is fairly common.
Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx.
Fixes: FS#942
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Diffstat (limited to 'package/libs/mbedtls/patches')
| -rw-r--r-- | package/libs/mbedtls/patches/200-config.patch | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/package/libs/mbedtls/patches/200-config.patch b/package/libs/mbedtls/patches/200-config.patch index 39de3cc1ec..fb5a74fc65 100644 --- a/package/libs/mbedtls/patches/200-config.patch +++ b/package/libs/mbedtls/patches/200-config.patch @@ -269,3 +269,12 @@ /* \} name SECTION: mbed TLS modules */ +@@ -2646,7 +2646,7 @@ + * recommended because of it is possible to generte SHA-1 collisions, however + * this may be safe for legacy infrastructure where additional controls apply. + */ +-// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES ++#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES + + /** + * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake |