diff options
author | Arne Schwabe | 2020-07-21 17:49:22 +0200 |
---|---|---|
committer | Gert Doering | 2020-07-21 22:33:58 +0200 |
commit | 8353ae8075fb25d1935258a2f007e024c5e2c43f (patch) | |
tree | 00772051d575db38d91abbaf28eeab7c6fdcbb40 /configure.ac | |
parent | ba66faad5608233f792c3679ebade09ff324a4b3 (diff) | |
download | openvpn-8353ae8075fb25d1935258a2f007e024c5e2c43f.zip openvpn-8353ae8075fb25d1935258a2f007e024c5e2c43f.tar.gz |
Implement tls-groups option to specify eliptic curves/groups
By default OpenSSL 1.1+ only allows signatures and ecdh/ecdhx from the
default list of X25519:secp256r1:X448:secp521r1:secp384r1. In
TLS1.3 key exchange is independent from the signature/key of the
certificates, so allowing all groups per default is not a sensible
choice anymore and instead a shorter list is reasonable.
However, when using certificates with exotic curves that are not on
the group list, the signatures of these certificates will no longer
be accepted.
The tls-groups option allows to modify the group list to account
for these corner cases.
Patch V2: Uses local gc_arena instead of malloc/free, reword commit
message. Fix other typos/clarify messages
Patch V3: Style fixes, adjust code to changes from mbedTLS session
fix
Patch V5: Fix compilation with OpenSSL 1.0.2
Patch V6: Redo the 'while((token = strsep(&tmp_groups, ":"))' change
which accidentally got lost.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200721154922.17144-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20521.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'configure.ac')
-rw-r--r-- | configure.ac | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 02cb056..f827992 100644 --- a/configure.ac +++ b/configure.ac @@ -929,6 +929,7 @@ if test "${with_crypto_library}" = "openssl"; then OpenSSL_version \ SSL_CTX_get_default_passwd_cb \ SSL_CTX_get_default_passwd_cb_userdata \ + SSL_CTX_set1_groups \ SSL_CTX_set_security_level \ X509_get0_notBefore \ X509_get0_notAfter \ |