If --tls-cipher is supplied, make --show-tls parse the list.

This allows to check the available TLS ciphers for a specific configuration
by supplying both --tls-cipher and --show-tls options.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-4-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8150
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cb03dca83e37fd65666bf776f39da902fb10acbc)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 7d33f217ca4384a9819e19aec137d2a186d6f517..52d370b80b40042d8747e907d2cacb44ca4c01bb 100644 (file)
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -866,7 +866,7 @@ print_openssl_info (const struct options *options)
        show_available_engines ();
 #ifdef ENABLE_SSL
       if (options->show_tls_ciphers)
-       show_available_tls_ciphers ();
+       show_available_tls_ciphers (options->cipher_list);
 #endif
       return true;
     }

diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h
index 07cb9abce4b519c2df215e5a4779e818d826cae3..54383feb9cac44cb2001613a952b20f6f50b19ea 100644 (file)
--- a/src/openvpn/ssl_backend.h
+++ b/src/openvpn/ssl_backend.h
@@ -454,8 +454,10 @@ void print_details (struct key_state_ssl * ks_ssl, const char *prefix);
 /*
  * Show the TLS ciphers that are available for us to use in the OpenSSL
  * library.
+ *
+ * @param              - list of allowed TLS cipher, or NULL.
  */
-void show_available_tls_ciphers ();
+void show_available_tls_ciphers (const char *tls_ciphers);
 
 /*
  * The OpenSSL library has a notion of preference in TLS ciphers.  Higher

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 350cd7f822887da67fb5167d635b616718cabee0..f7313fecde6fd792afd3a02b01bd023a5fcafce0 100644 (file)
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1284,23 +1284,26 @@ print_details (struct key_state_ssl * ks_ssl, const char *prefix)
 }
 
 void
-show_available_tls_ciphers ()
+show_available_tls_ciphers (const char *cipher_list)
 {
-  SSL_CTX *ctx;
+  struct tls_root_ctx tls_ctx;
   SSL *ssl;
   const char *cipher_name;
   const char *print_name;
   const tls_cipher_name_pair *pair;
   int priority = 0;
 
-  ctx = SSL_CTX_new (SSLv23_method ());
-  if (!ctx)
+  tls_ctx.ctx = SSL_CTX_new (SSLv23_method ());
+  if (!tls_ctx.ctx)
     msg (M_SSLERR, "Cannot create SSL_CTX object");
 
-  ssl = SSL_new (ctx);
+  ssl = SSL_new (tls_ctx.ctx);
   if (!ssl)
     msg (M_SSLERR, "Cannot create SSL object");
 
+  if (cipher_list)
+    tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
+
   printf ("Available TLS Ciphers,\n");
   printf ("listed in order of preference:\n\n");
   while ((cipher_name = SSL_get_cipher_list (ssl, priority++)))
@@ -1318,7 +1321,7 @@ show_available_tls_ciphers ()
   printf ("\n");
 
   SSL_free (ssl);
-  SSL_CTX_free (ctx);
+  SSL_CTX_free (tls_ctx.ctx);
 }
 
 void

diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
index cdd91890ab0c3c9cd396fb46ede23cc712fa4eb9..551c352beaa6b7d4bdc440cb09fbea015e01e66e 100644 (file)
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -1033,10 +1033,16 @@ print_details (struct key_state_ssl * ks_ssl, const char *prefix)
 }
 
 void
-show_available_tls_ciphers ()
+show_available_tls_ciphers (const char *cipher_list)
 {
+  struct tls_root_ctx tls_ctx;
   const int *ciphers = ssl_list_ciphersuites();
 
+  if (cipher_list) {
+    tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
+    ciphers = tls_ctx.allowed_ciphers;
+  }
+
 #ifndef ENABLE_SMALL
   printf ("Available TLS Ciphers,\n");
   printf ("listed in order of preference:\n\n");