mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 12:02:28 +02:00
Refactored cipher restriction code
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
This commit is contained in:
parent
244da317ee
commit
2e74a9d02d
7
ssl.c
7
ssl.c
@ -1609,8 +1609,6 @@ tls_deauthenticate (struct tls_multi *multi)
|
||||
void
|
||||
init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
|
||||
{
|
||||
SSL_CTX *ctx = NULL;
|
||||
|
||||
ASSERT(NULL != new_ctx);
|
||||
|
||||
tls_clear_error();
|
||||
@ -1673,8 +1671,6 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
|
||||
}
|
||||
}
|
||||
|
||||
ctx = new_ctx->ctx;
|
||||
|
||||
if (options->ca_file || options->ca_path)
|
||||
{
|
||||
tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline,
|
||||
@ -1702,8 +1698,7 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
|
||||
/* Allowable ciphers */
|
||||
if (options->cipher_list)
|
||||
{
|
||||
if (!SSL_CTX_set_cipher_list (ctx, options->cipher_list))
|
||||
msg (M_SSLERR, "Problem with cipher list: %s", options->cipher_list);
|
||||
tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
|
||||
}
|
||||
|
||||
tls_clear_error ();
|
||||
|
@ -116,6 +116,14 @@ bool tls_ctx_initialised(struct tls_root_ctx *ctx);
|
||||
*/
|
||||
void tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags);
|
||||
|
||||
/**
|
||||
* Restrict the list of ciphers that can be used within the TLS context.
|
||||
*
|
||||
* @param ctx TLS context to restrict
|
||||
* @param ciphers String containing : delimited cipher names.
|
||||
*/
|
||||
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
|
||||
|
||||
/**
|
||||
* Load Diffie Hellman Parameters, and load them into the library-specific
|
||||
* TLS context.
|
||||
|
@ -181,6 +181,16 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)
|
||||
SSL_CTX_set_info_callback (ctx->ctx, info_callback);
|
||||
}
|
||||
|
||||
void
|
||||
tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
|
||||
{
|
||||
ASSERT(NULL != ctx);
|
||||
|
||||
/* Fox-IT hardening: restrict allowed TLS ciphers. */
|
||||
if(!SSL_CTX_set_cipher_list(ctx->ctx, ciphers))
|
||||
msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s", ciphers);
|
||||
}
|
||||
|
||||
void
|
||||
tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file
|
||||
#if ENABLE_INLINE_FILES
|
||||
|
Loading…
Reference in New Issue
Block a user