git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Arne Schwabe <arne@rfc2549.org>
	Sun, 7 Oct 2018 21:55:39 +0000 (23:55 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Wed, 10 Oct 2018 19:32:09 +0000 (21:32 +0200)
commit	9de7fe0a7bf1111ebea9ca9e28b2def9ae3e53ff
tree	101a74fd31070545d989c9817da9487f0258514b	tree
parent	773c086367c8dd94d71a10bd2b32f09b4a0840ae	commit \| diff

Add support for tls-ciphersuites for TLS 1.3

OpenSSL 1.1.1 introduces a separate list for TLS 1.3 ciphers. As these
interfaces are meant to be user facing or not exposed at all and we
expose the tls-cipher interface, we should also expose tls-cipherlist.

Combining both settings into tls-cipher would add a lot of glue logic
that needs to be maintained and is error prone. On top of that, users
should not set either settings unless absolutely required.

OpenSSL's own s_client/s_server also expose both settings and I believe
most other software will too:

-cipher val Specify TLSv1.2 and below cipher list to be used
-ciphersuites val Specify TLSv1.3 ciphersuites to be used

For mbed TLS only the future can tell if we will see a combined or also
two separate lists.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181007215539.32761-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17626.html

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ea4ee31333a0cddb5c8dd4185f9426df13c76947)

doc/openvpn.8		diff \| blob \| blame \| history
src/openvpn/options.c		diff \| blob \| blame \| history
src/openvpn/options.h		diff \| blob \| blame \| history
src/openvpn/ssl.c		diff \| blob \| blame \| history
src/openvpn/ssl_backend.h		diff \| blob \| blame \| history
src/openvpn/ssl_mbedtls.c		diff \| blob \| blame \| history
src/openvpn/ssl_openssl.c		diff \| blob \| blame \| history