Set tls-cipher restriction before loading certificates

OpenSSL 1.1 does not allow MD5 signed certificates by default anymore.
This can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but
only if the cipher list is set before loading the certificates. This patch
changes the order of loading.

Acked-by: Christian Hesse <list@eworm.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1498475606-8337-1-git-send-email-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14961.html

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 26345ba61b8d5bccb1331894ab6d1468e3b09adf)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 15cd94ad670dd9c2fda0e15ee368bccf47235b9d..98f4741bddc49d2619612af8ded21c3b0f01b208 100644 (file)
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -616,6 +616,11 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
         tls_ctx_client_new(new_ctx);
     }
 
+    /* Allowable ciphers */
+    /* Since @SECLEVEL also influces loading of certificates, set the
+     * cipher restrictions before loading certificates */
+    tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
+
     tls_ctx_set_options(new_ctx, options->ssl_flags);
 
     if (options->pkcs12_file)
@@ -708,9 +713,6 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
         tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
     }
 
-    /* Allowable ciphers */
-    tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
-
 #ifdef ENABLE_CRYPTO_MBEDTLS
     /* Personalise the random by mixing in the certificate */
     tls_ctx_personalise_random(new_ctx);