git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Steffan Karger <steffan@karger.me>
	Sun, 17 Apr 2016 18:32:07 +0000 (20:32 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Mon, 18 Apr 2016 14:42:58 +0000 (16:42 +0200)
commit	a44eac2bf47416b35609c37b10eb803dd61945ed
tree	17641a542b7410f6f00905cb53ec5ab1845a240b	tree
parent	6be0f0015d7485f0bf3c14a3a381a6f6496270a5	commit \| diff

Further restrict default cipher list

In the past years, the internet has been moving forward wrt deprecating
older and less secure ciphers.  Let's follow this example in OpenVPN and
further restrict the default list of negotiable TLS ciphers.

Compared to earlier, this disables the following:
* Ciphers in the LOW and MEDIUM security cipher list of OpenSSL
   The LOW suite will be completely removed from OpenSSL in 1.1.0,
   the MEDIUM suite contains ciphers like RC4 and SEED.
* Ciphers that do not provide forward secrecy (static DH/ECDH keys)
* DSA private keys (rarely used, and usually restricted to 1024 bits)

v2: added Changes.rst entry.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1460917927-31645-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11457
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Changes.rst		diff \| blob \| blame \| history
doc/openvpn.8		diff \| blob \| blame \| history
src/openvpn/ssl_openssl.c		diff \| blob \| blame \| history