Message ID | 20181011220639.7316-1-arne@rfc2549.org |
---|---|
State | Accepted, archived |
Headers | show |
Series | [Openvpn-devel] Use right function to set TLS1.3 restrictions in show-tls | expand |
On 12/10/18 00:06, Arne Schwabe wrote: > The last version of the patch used the TLS1.2 version > tls_ctx_restrict_ciphers to set the restrictions for both > TLS 1.3 and TLS1.2 instead of using tls_ctx_restrict_ciphers_tls13 > for TLS1.3. > > Also fix minor style problem while I am touching the function > --- > src/openvpn/ssl_openssl.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c > index 6717ded0..da573cfa 100644 > --- a/src/openvpn/ssl_openssl.c > +++ b/src/openvpn/ssl_openssl.c > @@ -2002,15 +2002,16 @@ show_available_tls_ciphers_list(const char *cipher_list, > if (tls13) > { > SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION); > + tls_ctx_restrict_ciphers_tls13(&tls_ctx, cipher_list); Isn't this function only available in OpenSSL 1.1.1 and newer? Or am I missing a fine detail here?
Am 12.10.18 um 12:38 schrieb David Sommerseth: > On 12/10/18 00:06, Arne Schwabe wrote: >> The last version of the patch used the TLS1.2 version >> tls_ctx_restrict_ciphers to set the restrictions for both >> TLS 1.3 and TLS1.2 instead of using tls_ctx_restrict_ciphers_tls13 >> for TLS1.3. >> >> Also fix minor style problem while I am touching the function >> --- >> src/openvpn/ssl_openssl.c | 6 ++++-- >> 1 file changed, 4 insertions(+), 2 deletions(-) >> >> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c >> index 6717ded0..da573cfa 100644 >> --- a/src/openvpn/ssl_openssl.c >> +++ b/src/openvpn/ssl_openssl.c >> @@ -2002,15 +2002,16 @@ show_available_tls_ciphers_list(const char *cipher_list, >> if (tls13) >> { >> SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION); >> + tls_ctx_restrict_ciphers_tls13(&tls_ctx, cipher_list); > > Isn't this function only available in OpenSSL 1.1.1 and newer? Or am I > missing a fine detail here? > It is and it is a block ifdef'ed by OpenSSL version. Arne
Acked-by: Gert Doering <gert@greenie.muc.de> It now displays the expected result set (and the code change makes sense): $ src/openvpn/openvpn --verb 4 --tls-ciphersuites TLS_AES_256_GCM_SHA384 --show-tls --tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 Available TLS Ciphers, listed in order of preference: For TLS 1.3 and newer (--tls-ciphersuites): TLS_AES_256_GCM_SHA384 For TLS 1.2 and older (--tls-cipher): TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 Tested with OpenSSL 1.0.2, 1.1.1 and mbedTLS. Your patch has been applied to the master and release/2.4 branch. commit 680117529ededd94b1d56867f8d834aa5daa2b95 (master) commit 33253cf1d0c1175e7391a4eec3b64f1ec0b303dd (release/2.4) Author: Arne Schwabe Date: Fri Oct 12 00:06:39 2018 +0200 Use right function to set TLS1.3 restrictions in show-tls Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20181011220639.7316-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17755.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 6717ded0..da573cfa 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -2002,15 +2002,16 @@ show_available_tls_ciphers_list(const char *cipher_list, if (tls13) { SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION); + tls_ctx_restrict_ciphers_tls13(&tls_ctx, cipher_list); } else #endif { SSL_CTX_set_max_proto_version(tls_ctx.ctx, TLS1_2_VERSION); + tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); } tls_ctx_set_cert_profile(&tls_ctx, tls_cert_profile); - tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); SSL *ssl = SSL_new(tls_ctx.ctx); if (!ssl) @@ -2039,7 +2040,8 @@ show_available_tls_ciphers_list(const char *cipher_list, else if (NULL == pair) { /* No translation found, print warning */ - printf("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", cipher_name); + printf("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", + cipher_name); } else {