diff options
author | Arne Schwabe | 2018-10-07 23:55:39 +0200 |
---|---|---|
committer | Gert Doering | 2018-10-10 21:32:09 +0200 |
commit | 9de7fe0a7bf1111ebea9ca9e28b2def9ae3e53ff (patch) | |
tree | 101a74fd31070545d989c9817da9487f0258514b /src/openvpn/options.c | |
parent | 773c086367c8dd94d71a10bd2b32f09b4a0840ae (diff) | |
download | openvpn-9de7fe0a7bf1111ebea9ca9e28b2def9ae3e53ff.zip openvpn-9de7fe0a7bf1111ebea9ca9e28b2def9ae3e53ff.tar.gz |
Add support for tls-ciphersuites for TLS 1.3
OpenSSL 1.1.1 introduces a separate list for TLS 1.3 ciphers. As these
interfaces are meant to be user facing or not exposed at all and we
expose the tls-cipher interface, we should also expose tls-cipherlist.
Combining both settings into tls-cipher would add a lot of glue logic
that needs to be maintained and is error prone. On top of that, users
should not set either settings unless absolutely required.
OpenSSL's own s_client/s_server also expose both settings and I believe
most other software will too:
-cipher val Specify TLSv1.2 and below cipher list to be used
-ciphersuites val Specify TLSv1.3 ciphersuites to be used
For mbed TLS only the future can tell if we will see a combined or also
two separate lists.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181007215539.32761-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17626.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ea4ee31333a0cddb5c8dd4185f9426df13c76947)
Diffstat (limited to 'src/openvpn/options.c')
-rw-r--r-- | src/openvpn/options.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 52b9fb1..f964210 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1769,6 +1769,7 @@ show_settings(const struct options *o) SHOW_STR(cryptoapi_cert); #endif SHOW_STR(cipher_list); + SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); SHOW_STR(tls_export_cert); @@ -2783,6 +2784,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec MUST_BE_UNDEF(pkcs12_file); #endif MUST_BE_UNDEF(cipher_list); + MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); MUST_BE_UNDEF(tls_export_cert); @@ -7878,6 +7880,11 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); options->tls_cert_profile = p[1]; } + else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2]) + { + VERIFY_PERMISSION(OPT_P_GENERAL); + options->cipher_list_tls13 = p[1]; + } else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) || (p[2] && streq(p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3]) { |