diff options
author | Arne Schwabe | 2018-10-07 23:55:39 +0200 |
---|---|---|
committer | Gert Doering | 2018-10-10 21:07:22 +0200 |
commit | ea4ee31333a0cddb5c8dd4185f9426df13c76947 (patch) | |
tree | bbbaf4a94a1aee7fb39b89282b80f88991d2e6b6 /src/openvpn/ssl_openssl.c | |
parent | 66b9409bb25402c1bfcd66359332792cf57d0825 (diff) | |
download | openvpn-ea4ee31333a0cddb5c8dd4185f9426df13c76947.zip openvpn-ea4ee31333a0cddb5c8dd4185f9426df13c76947.tar.gz |
Add support for tls-ciphersuites for TLS 1.3
OpenSSL 1.1.1 introduces a separate list for TLS 1.3 ciphers. As these
interfaces are meant to be user facing or not exposed at all and we
expose the tls-cipher interface, we should also expose tls-cipherlist.
Combining both settings into tls-cipher would add a lot of glue logic
that needs to be maintained and is error prone. On top of that, users
should not set either settings unless absolutely required.
OpenSSL's own s_client/s_server also expose both settings and I believe
most other software will too:
-cipher val Specify TLSv1.2 and below cipher list to be used
-ciphersuites val Specify TLSv1.3 ciphersuites to be used
For mbed TLS only the future can tell if we will see a combined or also
two separate lists.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181007215539.32761-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17626.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/ssl_openssl.c')
-rw-r--r-- | src/openvpn/ssl_openssl.c | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 0858d5e..ba0d132 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -391,6 +391,7 @@ convert_tls_list_to_openssl(char* openssl_ciphers, size_t len,const char *cipher openssl_ciphers[openssl_ciphers_len-1] = '\0'; } } + void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) { @@ -427,6 +428,61 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) } void +convert_tls13_list_to_openssl(char* openssl_ciphers, size_t len, const char *ciphers) +{ + /* + * OpenSSL (and official IANA) cipher names have _ in them. We + * historically used names with - in them. Silently convert names + * with - to names with _ to support both + */ + if (strlen(ciphers) >= (len - 1)) + { + msg(M_FATAL, + "Failed to set restricted TLS 1.3 cipher list, too long (>%d).", + (int) (len - 1)); + } + + strncpy(openssl_ciphers, ciphers, len); + + for (size_t i = 0; i < strlen(openssl_ciphers); i++) + { + if (openssl_ciphers[i] == '-') + { + openssl_ciphers[i] = '_'; + } + } +} + +void +tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers) +{ + if (ciphers == NULL) + { + /* default cipher list of OpenSSL 1.1.1 is sane, do not set own + * default as we do with tls-cipher */ + return; + } + +#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) + crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. " + "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.", + ciphers); +#else + ASSERT(NULL != ctx); + + char openssl_ciphers[4096]; + convert_tls13_list_to_openssl(openssl_ciphers, sizeof(openssl_ciphers), + ciphers); + + if (!SSL_CTX_set_ciphersuites(ctx->ctx, openssl_ciphers)) + { + crypto_msg(M_FATAL, "Failed to set restricted TLS 1.3 cipher list: %s", + openssl_ciphers); + } +#endif +} + +void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL |