void
init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
{
- SSL_CTX *ctx = NULL;
-
ASSERT(NULL != new_ctx);
tls_clear_error();
}
}
- ctx = new_ctx->ctx;
-
if (options->ca_file || options->ca_path)
{
tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline,
/* Allowable ciphers */
if (options->cipher_list)
{
- if (!SSL_CTX_set_cipher_list (ctx, options->cipher_list))
- msg (M_SSLERR, "Problem with cipher list: %s", options->cipher_list);
+ tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
}
tls_clear_error ();
*/
void tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags);
+/**
+ * Restrict the list of ciphers that can be used within the TLS context.
+ *
+ * @param ctx TLS context to restrict
+ * @param ciphers String containing : delimited cipher names.
+ */
+void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
+
/**
* Load Diffie Hellman Parameters, and load them into the library-specific
* TLS context.
SSL_CTX_set_info_callback (ctx->ctx, info_callback);
}
+void
+tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
+{
+ ASSERT(NULL != ctx);
+
+ /* Fox-IT hardening: restrict allowed TLS ciphers. */
+ if(!SSL_CTX_set_cipher_list(ctx->ctx, ciphers))
+ msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s", ciphers);
+}
+
void
tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file
#if ENABLE_INLINE_FILES
projects / thirdparty / openvpn.git / commitdiff
