From 3e35eb13ada3b87e87cd108f9d459b9484446e9c Mon Sep 17 00:00:00 2001 From: Baptiste Jonglez Date: Sun, 30 Jul 2017 17:57:37 +0200 Subject: [PATCH] mbedtls: Re-allow SHA1-signed certificates Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates. This breaks openvpn clients that try to connect to servers that present a TLS certificate signed with SHA1, which is fairly common. Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx. Fixes: FS#942 Signed-off-by: Baptiste Jonglez --- package/libs/mbedtls/Makefile | 2 +- package/libs/mbedtls/patches/200-config.patch | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile index 4cceb743d5..101324de07 100644 --- a/package/libs/mbedtls/Makefile +++ b/package/libs/mbedtls/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mbedtls PKG_VERSION:=2.5.1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz diff --git a/package/libs/mbedtls/patches/200-config.patch b/package/libs/mbedtls/patches/200-config.patch index 39de3cc1ec..fb5a74fc65 100644 --- a/package/libs/mbedtls/patches/200-config.patch +++ b/package/libs/mbedtls/patches/200-config.patch @@ -269,3 +269,12 @@ /* \} name SECTION: mbed TLS modules */ +@@ -2646,7 +2646,7 @@ + * recommended because of it is possible to generte SHA-1 collisions, however + * this may be safe for legacy infrastructure where additional controls apply. + */ +-// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES ++#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES + + /** + * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake -- 2.30.2