diff options
author | Arne Schwabe | 2020-07-21 17:49:22 +0200 |
---|---|---|
committer | Gert Doering | 2020-07-21 22:33:58 +0200 |
commit | 8353ae8075fb25d1935258a2f007e024c5e2c43f (patch) | |
tree | 00772051d575db38d91abbaf28eeab7c6fdcbb40 /src/openvpn/ssl.c | |
parent | ba66faad5608233f792c3679ebade09ff324a4b3 (diff) | |
download | openvpn-8353ae8075fb25d1935258a2f007e024c5e2c43f.zip openvpn-8353ae8075fb25d1935258a2f007e024c5e2c43f.tar.gz |
Implement tls-groups option to specify eliptic curves/groups
By default OpenSSL 1.1+ only allows signatures and ecdh/ecdhx from the
default list of X25519:secp256r1:X448:secp521r1:secp384r1. In
TLS1.3 key exchange is independent from the signature/key of the
certificates, so allowing all groups per default is not a sensible
choice anymore and instead a shorter list is reasonable.
However, when using certificates with exotic curves that are not on
the group list, the signatures of these certificates will no longer
be accepted.
The tls-groups option allows to modify the group list to account
for these corner cases.
Patch V2: Uses local gc_arena instead of malloc/free, reword commit
message. Fix other typos/clarify messages
Patch V3: Style fixes, adjust code to changes from mbedTLS session
fix
Patch V5: Fix compilation with OpenSSL 1.0.2
Patch V6: Redo the 'while((token = strsep(&tmp_groups, ":"))' change
which accidentally got lost.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200721154922.17144-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20521.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/ssl.c')
-rw-r--r-- | src/openvpn/ssl.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 361366d..1c837ce 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -615,6 +615,12 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); tls_ctx_restrict_ciphers_tls13(new_ctx, options->cipher_list_tls13); + /* Set the allow groups/curves for TLS if we want to override them */ + if (options->tls_groups) + { + tls_ctx_set_tls_groups(new_ctx, options->tls_groups); + } + if (!tls_ctx_set_options(new_ctx, options->ssl_flags)) { goto err; |