diff options
author | Steffan Karger | 2016-10-12 09:32:49 +0200 |
---|---|---|
committer | David Sommerseth | 2016-10-13 17:23:20 +0200 |
commit | dc4fa3c4656b92aff3f26d4134c509410add142e (patch) | |
tree | 2789363d06c5dff789c497d51cf9cad4c929e66f /src/openvpn/ssl.h | |
parent | 396d30c264e6cb6b9f57c3e566f3b71879999662 (diff) | |
download | openvpn-dc4fa3c4656b92aff3f26d4134c509410add142e.zip openvpn-dc4fa3c4656b92aff3f26d4134c509410add142e.tar.gz |
Check --ncp-ciphers list on startup
Currently, if --ncp-ciphers contains an invalid cipher, OpenVPN will only
error out when that cipher is selected by negotiation. That's not very
friendly to the user, so check the list on startup, and give a clear error
message immediately.
This patches changes the cipher_kt_get() to let the caller decide what
action to take if no valid cipher was found. This enables us to print all
invalid ciphers in the list, instead of just the first invalid cipher.
This should fix trac #737.
v2: improve tls_check_ncp_cipher_list() with Selva's review suggestions.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <1476257569-16301-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12671.html
Trac: #737
Signed-off-by: David Sommerseth <davids@openvpn.net>
Diffstat (limited to 'src/openvpn/ssl.h')
-rw-r--r-- | src/openvpn/ssl.h | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index de68b69..e6963a4 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -503,6 +503,15 @@ tls_get_peer_info(const struct tls_multi *multi) */ int tls_peer_info_ncp_ver(const char *peer_info); +/** + * Check whether the ciphers in the supplied list are supported. + * + * @param list Colon-separated list of ciphers + * + * @returns true iff all ciphers in list are supported. + */ +bool tls_check_ncp_cipher_list(const char *list); + /* * inline functions */ |