From 26345ba61b8d5bccb1331894ab6d1468e3b09adf Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 26 Jun 2017 13:13:26 +0200 Subject: [PATCH] Set tls-cipher restriction before loading certificates OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only if the cipher list is set before loading the certificates. This patch changes the order of loading. Acked-by: Christian Hesse Acked-by: Steffan Karger Message-Id: <1498475606-8337-1-git-send-email-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14961.html Signed-off-by: Gert Doering --- src/openvpn/ssl.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 29280dcea..9ca300c0c 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -616,6 +616,11 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) tls_ctx_client_new(new_ctx); } + /* Allowable ciphers */ + /* Since @SECLEVEL also influces loading of certificates, set the + * cipher restrictions before loading certificates */ + tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); + tls_ctx_set_options(new_ctx, options->ssl_flags); if (options->pkcs12_file) @@ -708,9 +713,6 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve); } - /* Allowable ciphers */ - tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); - #ifdef ENABLE_CRYPTO_MBEDTLS /* Personalise the random by mixing in the certificate */ tls_ctx_personalise_random(new_ctx); -- 2.47.2