From 56885137662049c5000e0fb96651e70ef561230e Mon Sep 17 00:00:00 2001 From: Davide De Rosa Date: Fri, 5 Jan 2024 23:05:20 +0100 Subject: [PATCH 1/2] Set security level explicitly Default value may have been raised in OpenSSL 3, disrupting operation with less secure certificates. --- Sources/CTunnelKitOpenVPNProtocol/TLSBox.m | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Sources/CTunnelKitOpenVPNProtocol/TLSBox.m b/Sources/CTunnelKitOpenVPNProtocol/TLSBox.m index 11d372fd..ea924ca6 100644 --- a/Sources/CTunnelKitOpenVPNProtocol/TLSBox.m +++ b/Sources/CTunnelKitOpenVPNProtocol/TLSBox.m @@ -214,9 +214,7 @@ - (BOOL)startWithError:(NSError *__autoreleasing *)error self.ctx = SSL_CTX_new(TLS_client_method()); SSL_CTX_set_options(self.ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION); SSL_CTX_set_verify(self.ctx, SSL_VERIFY_PEER, TLSBoxVerifyPeer); - if (self.securityLevel != TLSBoxDefaultSecurityLevel) { - SSL_CTX_set_security_level(self.ctx, (int)self.securityLevel); - } + SSL_CTX_set_security_level(self.ctx, (int)self.securityLevel); if (self.caPath) { if (!SSL_CTX_load_verify_locations(self.ctx, [self.caPath cStringUsingEncoding:NSASCIIStringEncoding], NULL)) { From 1d6f7ee6b68417be9d28944ba94135995b18b475 Mon Sep 17 00:00:00 2001 From: Davide De Rosa Date: Fri, 5 Jan 2024 23:09:07 +0100 Subject: [PATCH 2/2] [ci skip] Update CL --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e1c7c2d7..0a5f5a44 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed - OpenVPN: Bad error mapping. [#404](https://github.com/passepartoutvpn/tunnelkit/pull/404) +- OpenVPN: Restore default security level. [#406](https://github.com/passepartoutvpn/tunnelkit/pull/406) ## 6.3.1 (2024-01-05)