openssl: be less verbose about cipher translation errors

Translation errors are usually not a real problem, since we don't maintain
the complete list of ciphers OpenSSL supports.  So, be less verbose if we
can not find a translation.

Also, add 'translations' for commonly used negated cipher suites to
suppress messages about those completely.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1444156707-14087-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10198
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 54a3e094cf3d6444805db1e788a89ed0ee42d2dd..529d14dae4be76adcd49a274c5bbe5eb30618f66 100644 (file)
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -232,18 +232,19 @@ static const tls_cipher_name_pair tls_cipher_name_translation_table[] = {
     {"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"},
     {"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"},
 #ifdef ENABLE_CRYPTO_OPENSSL
+    /* OpenSSL-specific group names */
     {"DEFAULT", "DEFAULT"},
     {"ALL", "ALL"},
-    {"HIGH", "HIGH"},
-    {"MEDIUM", "MEDIUM"},
-    {"LOW", "LOW"},
-    {"ECDH", "ECDH"},
-    {"ECDSA", "ECDSA"},
-    {"EDH", "EDH"},
-    {"EXP", "EXP"},
-    {"RSA", "RSA"},
-    {"kRSA", "kRSA"},
-    {"SRP", "SRP"},
+    {"HIGH", "HIGH"}, {"!HIGH", "!HIGH"},
+    {"MEDIUM", "MEDIUM"}, {"!MEDIUM", "!MEDIUM"},
+    {"LOW", "LOW"}, {"!LOW", "!LOW"},
+    {"ECDH", "ECDH"}, {"!ECDH", "!ECDH"},
+    {"ECDSA", "ECDSA"}, {"!ECDSA", "!ECDSA"},
+    {"EDH", "EDH"}, {"!EDH", "!EDH"},
+    {"EXP", "EXP"}, {"!EXP", "!EXP"},
+    {"RSA", "RSA"}, {"!RSA", "!RSA"},
+    {"kRSA", "kRSA"}, {"!kRSA", "!kRSA"},
+    {"SRP", "SRP"}, {"!SRP", "!SRP"},
 #endif
     {NULL, NULL}
 };

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index df9fa8734cbc8d3b6f64e2841e49fc30792e946f..a38c41b8172400354cf075315a623abad6838c00 100644 (file)
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -272,7 +272,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
           // Issue warning on missing translation
           // %.*s format specifier expects length of type int, so guarantee
           // that length is small enough and cast to int.
-          msg (M_WARN, "No valid translation found for TLS cipher '%.*s'",
+          msg (D_LOW, "No valid translation found for TLS cipher '%.*s'",
                  constrain_int(current_cipher_len, 0, 256), current_cipher);
         }
       else