From: Arne Schwabe Date: Thu, 11 Oct 2018 22:06:39 +0000 (+0200) Subject: Use right function to set TLS1.3 restrictions in show-tls X-Git-Tag: v2.4.7~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=33253cf1d0c1175e7391a4eec3b64f1ec0b303dd;p=thirdparty%2Fopenvpn.git Use right function to set TLS1.3 restrictions in show-tls The last version of the patch used the TLS1.2 version tls_ctx_restrict_ciphers to set the restrictions for both TLS 1.3 and TLS1.2 instead of using tls_ctx_restrict_ciphers_tls13 for TLS1.3. Also fix minor style problem while I am touching the function Acked-by: Gert Doering Message-Id: <20181011220639.7316-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17755.html Signed-off-by: Gert Doering (cherry picked from commit 680117529ededd94b1d56867f8d834aa5daa2b95) --- diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 813f00778..a78dae991 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1850,15 +1850,16 @@ show_available_tls_ciphers_list(const char *cipher_list, if (tls13) { SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION); + tls_ctx_restrict_ciphers_tls13(&tls_ctx, cipher_list); } else #endif { SSL_CTX_set_max_proto_version(tls_ctx.ctx, TLS1_2_VERSION); + tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); } tls_ctx_set_cert_profile(&tls_ctx, tls_cert_profile); - tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); SSL *ssl = SSL_new(tls_ctx.ctx); if (!ssl) @@ -1887,7 +1888,8 @@ show_available_tls_ciphers_list(const char *cipher_list, else if (NULL == pair) { /* No translation found, print warning */ - printf("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", cipher_name); + printf("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", + cipher_name); } else {