git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Steffan Karger <steffan@karger.me>
	Thu, 1 Jan 2015 19:46:09 +0000 (20:46 +0100)
committer	Gert Doering <gert@greenie.muc.de>
	Sun, 4 Jan 2015 12:53:56 +0000 (13:53 +0100)
commit	bd9aa06feb41838689ed01f79845bc765f887ae3
tree	442b4f8fa33f93fded9550f5dc1a0ba0af968b56	tree
parent	98ea2ec5d8085a6b7bd4ac125a68bd4d5cf3e092	commit \| diff

Add option to disable Diffie Hellman key exchange by setting '--dh none'

As requested on the mailing list and in trac ticket #410, add an option to
disable 'traditional' Diffie Hellman key exchange. People want to be able
to create ecdh-only configurations.

This patch also disables RSA key exchange by default for OpenSSL builds, to
prevent that people who set "--dh none" but have an OpenSSL version that
doesn't support ECDH end up with a less secure connection. Note that users
that specify their own --tls-cipher override these defaults and thus can
still use whatever OpenSSL supports (and might thus end up with less secure
connections).

PolarSSL does not allow to easily disable RSA key exchange during runtime,
but its default compile options do not include RSA key exchange based
cipher suites.

Finally update the manpage to reflect the new behaviour, and while touching
it change the text to motivate users towards a more secure configuration.

v2 - disable RSA key exchange by default

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1420141569-11773-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9376
Signed-off-by: Gert Doering <gert@greenie.muc.de>

doc/openvpn.8		diff \| blob \| blame \| history
src/openvpn/options.c		diff \| blob \| blame \| history
src/openvpn/ssl.c		diff \| blob \| blame \| history
src/openvpn/ssl_openssl.c		diff \| blob \| blame \| history