In the past years, the internet has been moving forward wrt deprecating
older and less secure ciphers. Let's follow this example in OpenVPN and
also restrict the default list of negotiable TLS ciphers in 2.3.x.
This disables the following:
* Export ciphers (these are broken on purpose...)
* Ciphers in the LOW and MEDIUM security cipher list of OpenSSL
The LOW suite will be completely removed from OpenSSL in 1.1.0,
the MEDIUM suite contains ciphers like RC4 and SEED.
* Ciphers that are not supported by OpenVPN anyway (cleans up the list)
Note that users are able to override this default, using --tls-cipher, if
they for some reason need ciphers that are now disabled by default.
v2: add Changes.rst entry.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <
1460917412-29741-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11455
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Do not randomize resolving of IP addresses in getaddr()
+
+Version 2.3.11
+==============
+
+Behavioral changes
+------------------
+
+- Stricter default TLS cipher list (override with ``--tls-cipher``), that now
+ also disables:
+
+ * Non-ephemeral key exchange using static (EC)DH keys
+ * DSS private keys
+
+
+
Version 2.3.10
=============
your VPN connection. But it is also easy to unwittingly use it to carefully
align a gun with your foot, or just break your connection. Use with care!
-The default for --tls-cipher is to use PolarSSL's default cipher list
-when using PolarSSL or "DEFAULT:!EXP:!PSK:!SRP:!kRSA" when using OpenSSL.
+The default for \-\-tls\-cipher is to use PolarSSL's default cipher list
+when using PolarSSL or "DEFAULT:!EXP:!LOW:!MEDIUM:!PSK:!SRP:!kRSA" when using
+OpenSSL.
.\"*********************************************************
.TP
.B \-\-tls\-timeout n
tls_ctx_check_cert_time(new_ctx);
/* Allowable ciphers */
- if (options->cipher_list)
- {
- tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
- }
+ tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
#ifdef ENABLE_CRYPTO_POLARSSL
/* Personalise the random by mixing in the certificate */
void
tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
{
+ if (ciphers == NULL)
+ {
+ /* Use sane default TLS cipher list */
+ if(!SSL_CTX_set_cipher_list(ctx->ctx,
+ /* Use openssl's default list as a basis */
+ "DEFAULT"
+ /* Disable export ciphers and openssl's 'low' and 'medium' ciphers */
+ ":!EXP:!LOW:!MEDIUM"
+ /* Disable unsupported TLS modes */
+ ":!PSK:!SRP:!kRSA"))
+ crypto_msg (M_FATAL, "Failed to set default TLS cipher list.");
+ return;
+ }
+
size_t begin_of_cipher, end_of_cipher;
const char *current_cipher;
if (!ssl)
crypto_msg (M_FATAL, "Cannot create SSL object");
- if (cipher_list)
- tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
+ tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
printf ("Available TLS Ciphers,\n");
printf ("listed in order of preference:\n\n");
projects / thirdparty / openvpn.git / commitdiff
