diff options
| author | Arne Schwabe | 2018-10-07 23:55:39 +0200 |
|---|---|---|
| committer | Gert Doering | 2018-10-10 21:07:22 +0200 |
| commit | ea4ee31333a0cddb5c8dd4185f9426df13c76947 (patch) | |
| tree | bbbaf4a94a1aee7fb39b89282b80f88991d2e6b6 /src/openvpn/ssl_backend.h | |
| parent | 66b9409bb25402c1bfcd66359332792cf57d0825 (diff) | |
| download | openvpn-ea4ee31333a0cddb5c8dd4185f9426df13c76947.zip openvpn-ea4ee31333a0cddb5c8dd4185f9426df13c76947.tar.gz | |
Add support for tls-ciphersuites for TLS 1.3
OpenSSL 1.1.1 introduces a separate list for TLS 1.3 ciphers. As these
interfaces are meant to be user facing or not exposed at all and we
expose the tls-cipher interface, we should also expose tls-cipherlist.
Combining both settings into tls-cipher would add a lot of glue logic
that needs to be maintained and is error prone. On top of that, users
should not set either settings unless absolutely required.
OpenSSL's own s_client/s_server also expose both settings and I believe
most other software will too:
-cipher val Specify TLSv1.2 and below cipher list to be used
-ciphersuites val Specify TLSv1.3 ciphersuites to be used
For mbed TLS only the future can tell if we will see a combined or also
two separate lists.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181007215539.32761-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17626.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/ssl_backend.h')
| -rw-r--r-- | src/openvpn/ssl_backend.h | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 856e809..2ae3bcd 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -169,7 +169,8 @@ bool tls_ctx_initialised(struct tls_root_ctx *ctx); bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags); /** - * Restrict the list of ciphers that can be used within the TLS context. + * Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 + * and below * * @param ctx TLS context to restrict, must be valid. * @param ciphers String containing : delimited cipher names, or NULL to use @@ -178,6 +179,16 @@ bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags); void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers); /** + * Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 + * and higher + * + * @param ctx TLS context to restrict, must be valid. + * @param ciphers String containing : delimited cipher names, or NULL to use + * sane defaults. + */ +void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers); + +/** * Set the TLS certificate profile. The profile defines which crypto * algorithms may be used in the supplied certificate. * |