Disable unsupported TLS cipher modes by default, cleans --show-tls output.

This explicitly disables a number of tls ciphers that OpenVPN has currently
no support for. OpenSSL will automatically detect this during negotiation,
but --show-tls would erroneously show a number of unsupported ciphers.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1393684575-28112-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8318
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 2da7ebafa95f0b33bc8a72b74a131a2a0b883617..0b63e260778892965afc827bf641f87ab6abd770 100644 (file)
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -219,8 +219,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
 {
   if (ciphers == NULL)
     {
-      /* Use sane default */
-      if(!SSL_CTX_set_cipher_list(ctx->ctx, "DEFAULT:!EXP"))
+      /* Use sane default (disable export, and unsupported cipher modes) */
+      if(!SSL_CTX_set_cipher_list(ctx->ctx, "DEFAULT:!EXP:!PSK:!SRP"))
         msg(M_SSLERR, "Failed to set default TLS cipher list.");
       return;
     }