Revert "Allow disabling TLS 1.3 in certcheck to more easily debug pro…

…blems" This reverts commit dca4190. This commit was only supposed to be in 3.9 and 3.10 core release Signed-off-by: Arne Schwabe <[email protected]>
OpenVPN · Jan 14, 2025 · d1ea30d · d1ea30d
1 parent 39fb73b
commit d1ea30d
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 15 deletions.
diff --git a/client/ovpncli.cpp b/client/ovpncli.cpp
@@ -1329,8 +1329,7 @@ OPENVPN_CLIENT_EXPORT void OpenVPNClient::send_app_control_channel_msg(const std
 
 static SSLLib::SSLAPI::Config::Ptr setup_certcheck_ssl_config(const std::string &client_cert,
                                                               const std::string &extra_certs,
-                                                              const std::optional<const std::string> &ca,
-                                                              bool disabletls13)
+                                                              const std::optional<const std::string> &ca)
 {
     SSLLib::SSLAPI::Config::Ptr config = new SSLLib::SSLAPI::Config;
     config->set_frame(new Frame(Frame::Context(128, 4096, 4096 - 128, 0, 16, 0)));
@@ -1343,33 +1342,29 @@ static SSLLib::SSLAPI::Config::Ptr setup_certcheck_ssl_config(const std::string
     else
         flags |= SSLConfigAPI::LF_ALLOW_CLIENT_CERT_NOT_REQUIRED;
 
-    if (disabletls13)
-        config->set_tls_version_max(TLSVersion::Type::V1_2);
-
     config->set_flags(flags);
 
     return config;
 }
 
 OPENVPN_CLIENT_EXPORT void OpenVPNClient::start_cert_check(const std::string &client_cert,
                                                            const std::string &clientkey,
-                                                           const std::optional<const std::string> &ca,
-                                                           bool disableTLS13)
+                                                           const std::optional<const std::string> &ca)
 {
     if (state->is_foreign_thread_access())
     {
         ClientConnect *session = state->session.get();
         if (session)
         {
-            SSLLib::SSLAPI::Config::Ptr config = setup_certcheck_ssl_config(client_cert, "", ca, disableTLS13);
+            SSLLib::SSLAPI::Config::Ptr config = setup_certcheck_ssl_config(client_cert, "", ca);
             config->load_private_key(clientkey);
 
             session->start_acc_certcheck(config);
         }
     }
 }
 
-OPENVPN_CLIENT_EXPORT void OpenVPNClient::start_cert_check_epki(const std::string &alias, const std::optional<const std::string> &ca, bool disableTLS13)
+OPENVPN_CLIENT_EXPORT void OpenVPNClient::start_cert_check_epki(const std::string &alias, const std::optional<const std::string> &ca)
 {
     if (state->is_foreign_thread_access())
     {
@@ -1386,7 +1381,7 @@ OPENVPN_CLIENT_EXPORT void OpenVPNClient::start_cert_check_epki(const std::strin
                 return;
             }
 
-            SSLLib::SSLAPI::Config::Ptr config = setup_certcheck_ssl_config(req.cert, req.supportingChain, ca, disableTLS13);
+            SSLLib::SSLAPI::Config::Ptr config = setup_certcheck_ssl_config(req.cert, req.supportingChain, ca);
 
             config->set_external_pki_callback(this, alias);
 

diff --git a/client/ovpncli.hpp b/client/ovpncli.hpp
@@ -681,33 +681,31 @@ class OpenVPNClient : public TunBuilderBase,             // expose tun builder v
 
     // send custom app control channel message
     void send_app_control_channel_msg(const std::string &protocol, const std::string &msg);
+
     /**
       @brief Start up the cert check handshake using the given certs and key
       @param client_cert String containing the properly encoded client certificate
       @param clientkey String containing the properly encoded private key for \p client_cert
       @param ca Optional string containing the properly encoded authority
-      @param disableTLS13 disable TLS 1.3 support
 
       This function forwards to ClientProto::Session::start_acc_certcheck, which sets up the
       session ACC certcheck TLS handshake object. Every time this function is called the state of
       the handshake object will be reset and the handshake will be restarted.
     */
     void start_cert_check(const std::string &client_cert,
                           const std::string &clientkey,
-                          const std::optional<const std::string> &ca = std::nullopt,
-                          bool disableTLS13 = false);
+                          const std::optional<const std::string> &ca = std::nullopt);
 
     /**
       @brief Start up the cert check handshake using the given epki_alias string
       @param alias String containing the epki used for callbacks for certificate and signing operations
       @param ca Optional string containing the properly encoded authority
-      @param disableTLS13 disable TLS 1.3 support
 
       This function forwards to ClientProto::Session::start_acc_certcheck, which sets up the
       session ACC certcheck TLS handshake object. Every time this function is called the state of
       the handshake object will be reset and the handshake will be restarted.
     */
-    void start_cert_check_epki(const std::string &alias, const std::optional<const std::string> &ca, bool disableTLS13 = false);
+    void start_cert_check_epki(const std::string &alias, const std::optional<const std::string> &ca);
 
     // Callback for delivering events during connect() call.
     // Will be called from the thread executing connect().