git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Arne Schwabe <arne@rfc2549.org>
	Fri, 19 Feb 2021 16:52:52 +0000 (17:52 +0100)
committer	Gert Doering <gert@greenie.muc.de>
	Sat, 3 Apr 2021 07:44:17 +0000 (09:44 +0200)
commit	79ff3f79ebd98b880e77f323bd591eeb85df8411
tree	5249a40f39a293ea06e0fac2b312f51501f9074c	tree
parent	9e702a5d0f1d8ca0443d95ba13fc821deaa81d48	commit \| diff

Allow running a default configuration with TLS libraries without BF-CBC

Modern TLS libraries might drop Blowfish by default or distributions
might disable Blowfish in OpenSSL/mbed TLS. We still signal OCC
options with BF-CBC compatible strings. To avoid requiring BF-CBC
for this, special this one usage of BF-CBC enough to avoid a hard
requirement on Blowfish in the default configuration.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch v2: add more clarifying comment, do not warn about OCC only insecure
ciphers, code improvements

Patch V3: Put ciphername resolution via ciper_kt_name in the right branch

Patch V4: Fix cornercase of BF-CBC in data-ciphers not itialising cipher.

Patch v5: I accidently resend v3 as v4. So v5 is just a resend of the real
v4
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210219165252.4562-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21577.html

Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/crypto_backend.h		diff \| blob \| blame \| history
src/openvpn/init.c		diff \| blob \| blame \| history
src/openvpn/options.c		diff \| blob \| blame \| history