git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Steffan Karger <steffan@karger.me>
	Sun, 17 Apr 2016 18:23:32 +0000 (20:23 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Mon, 18 Apr 2016 14:33:44 +0000 (16:33 +0200)
commit	8a399cd30ae19f521794f3dfe7ef194abd440d1b
tree	9a5462f88636ce984a4343420df0560cc1770f89	tree
parent	b582af4b62325596231e9e34135b49c5115519e5	commit \| diff

Restrict default TLS cipher list

In the past years, the internet has been moving forward wrt deprecating
older and less secure ciphers.  Let's follow this example in OpenVPN and
also restrict the default list of negotiable TLS ciphers in 2.3.x.

This disables the following:
* Export ciphers (these are broken on purpose...)
* Ciphers in the LOW and MEDIUM security cipher list of OpenSSL
   The LOW suite will be completely removed from OpenSSL in 1.1.0,
   the MEDIUM suite contains ciphers like RC4 and SEED.
* Ciphers that are not supported by OpenVPN anyway (cleans up the list)

Note that users are able to override this default, using --tls-cipher, if
they for some reason need ciphers that are now disabled by default.

v2: add Changes.rst entry.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1460917412-29741-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11455
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Changes.rst		diff \| blob \| blame \| history
doc/openvpn.8		diff \| blob \| blame \| history
src/openvpn/ssl.c		diff \| blob \| blame \| history
src/openvpn/ssl_openssl.c		diff \| blob \| blame \| history