diff options
| author | Steffan Karger <steffan@karger.me> | 2014-01-01 21:10:23 +0100 |
|---|---|---|
| committer | Gert Doering <gert@greenie.muc.de> | 2014-01-03 15:02:17 +0100 |
| commit | 5690c525e58769a72fb5dbe63b5f6af78dff92ad (patch) | |
| tree | bed9f4d9de62876a2d6929c9289ef41fc6323dfc | |
| parent | dce118c833433cc0300cbcfe6b2d0cc3d5c34a3d (diff) | |
| download | openvpn-5690c525e58769a72fb5dbe63b5f6af78dff92ad.tar.gz openvpn-5690c525e58769a72fb5dbe63b5f6af78dff92ad.tar.xz openvpn-5690c525e58769a72fb5dbe63b5f6af78dff92ad.zip | |
If --tls-cipher is supplied, make --show-tls parse the list.
This allows to check the available TLS ciphers for a specific configuration
by supplying both --tls-cipher and --show-tls options.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-4-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8150
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cb03dca83e37fd65666bf776f39da902fb10acbc)
| -rw-r--r-- | src/openvpn/init.c | 2 | ||||
| -rw-r--r-- | src/openvpn/ssl_backend.h | 4 | ||||
| -rw-r--r-- | src/openvpn/ssl_openssl.c | 15 | ||||
| -rw-r--r-- | src/openvpn/ssl_polarssl.c | 8 |
4 files changed, 20 insertions, 9 deletions
diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 7d33f21..52d370b 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -866,7 +866,7 @@ print_openssl_info (const struct options *options) show_available_engines (); #ifdef ENABLE_SSL if (options->show_tls_ciphers) - show_available_tls_ciphers (); + show_available_tls_ciphers (options->cipher_list); #endif return true; } diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 07cb9ab..54383fe 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -454,8 +454,10 @@ void print_details (struct key_state_ssl * ks_ssl, const char *prefix); /* * Show the TLS ciphers that are available for us to use in the OpenSSL * library. + * + * @param - list of allowed TLS cipher, or NULL. */ -void show_available_tls_ciphers (); +void show_available_tls_ciphers (const char *tls_ciphers); /* * The OpenSSL library has a notion of preference in TLS ciphers. Higher diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 350cd7f..f7313fe 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1284,23 +1284,26 @@ print_details (struct key_state_ssl * ks_ssl, const char *prefix) } void -show_available_tls_ciphers () +show_available_tls_ciphers (const char *cipher_list) { - SSL_CTX *ctx; + struct tls_root_ctx tls_ctx; SSL *ssl; const char *cipher_name; const char *print_name; const tls_cipher_name_pair *pair; int priority = 0; - ctx = SSL_CTX_new (SSLv23_method ()); - if (!ctx) + tls_ctx.ctx = SSL_CTX_new (SSLv23_method ()); + if (!tls_ctx.ctx) msg (M_SSLERR, "Cannot create SSL_CTX object"); - ssl = SSL_new (ctx); + ssl = SSL_new (tls_ctx.ctx); if (!ssl) msg (M_SSLERR, "Cannot create SSL object"); + if (cipher_list) + tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); + printf ("Available TLS Ciphers,\n"); printf ("listed in order of preference:\n\n"); while ((cipher_name = SSL_get_cipher_list (ssl, priority++))) @@ -1318,7 +1321,7 @@ show_available_tls_ciphers () printf ("\n"); SSL_free (ssl); - SSL_CTX_free (ctx); + SSL_CTX_free (tls_ctx.ctx); } void diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c index cdd9189..551c352 100644 --- a/src/openvpn/ssl_polarssl.c +++ b/src/openvpn/ssl_polarssl.c @@ -1033,10 +1033,16 @@ print_details (struct key_state_ssl * ks_ssl, const char *prefix) } void -show_available_tls_ciphers () +show_available_tls_ciphers (const char *cipher_list) { + struct tls_root_ctx tls_ctx; const int *ciphers = ssl_list_ciphersuites(); + if (cipher_list) { + tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); + ciphers = tls_ctx.allowed_ciphers; + } + #ifndef ENABLE_SMALL printf ("Available TLS Ciphers,\n"); printf ("listed in order of preference:\n\n"); |