summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteffan Karger <steffan@karger.me>2015-10-06 20:38:27 +0200
committerGert Doering <gert@greenie.muc.de>2015-10-08 15:28:46 +0200
commit7246ccfdbe6039c5c578ecaa07505307d53b8e84 (patch)
treee15eb04a1c59a6db278ef16029e198b81b819eb1
parentd17d362dfec1abc5bedcea2f1154470018c82eca (diff)
downloadopenvpn-7246ccfdbe6039c5c578ecaa07505307d53b8e84.zip
openvpn-7246ccfdbe6039c5c578ecaa07505307d53b8e84.tar.gz
openvpn-7246ccfdbe6039c5c578ecaa07505307d53b8e84.tar.xz
openssl: be less verbose about cipher translation errors
Translation errors are usually not a real problem, since we don't maintain the complete list of ciphers OpenSSL supports. So, be less verbose if we can not find a translation. Also, add 'translations' for commonly used negated cipher suites to suppress messages about those completely. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1444156707-14087-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/10198 Signed-off-by: Gert Doering <gert@greenie.muc.de>
-rw-r--r--src/openvpn/ssl.c21
-rw-r--r--src/openvpn/ssl_openssl.c2
2 files changed, 12 insertions, 11 deletions
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 54a3e09..529d14d 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -232,18 +232,19 @@ static const tls_cipher_name_pair tls_cipher_name_translation_table[] = {
{"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"},
{"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"},
#ifdef ENABLE_CRYPTO_OPENSSL
+ /* OpenSSL-specific group names */
{"DEFAULT", "DEFAULT"},
{"ALL", "ALL"},
- {"HIGH", "HIGH"},
- {"MEDIUM", "MEDIUM"},
- {"LOW", "LOW"},
- {"ECDH", "ECDH"},
- {"ECDSA", "ECDSA"},
- {"EDH", "EDH"},
- {"EXP", "EXP"},
- {"RSA", "RSA"},
- {"kRSA", "kRSA"},
- {"SRP", "SRP"},
+ {"HIGH", "HIGH"}, {"!HIGH", "!HIGH"},
+ {"MEDIUM", "MEDIUM"}, {"!MEDIUM", "!MEDIUM"},
+ {"LOW", "LOW"}, {"!LOW", "!LOW"},
+ {"ECDH", "ECDH"}, {"!ECDH", "!ECDH"},
+ {"ECDSA", "ECDSA"}, {"!ECDSA", "!ECDSA"},
+ {"EDH", "EDH"}, {"!EDH", "!EDH"},
+ {"EXP", "EXP"}, {"!EXP", "!EXP"},
+ {"RSA", "RSA"}, {"!RSA", "!RSA"},
+ {"kRSA", "kRSA"}, {"!kRSA", "!kRSA"},
+ {"SRP", "SRP"}, {"!SRP", "!SRP"},
#endif
{NULL, NULL}
};
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index df9fa87..a38c41b 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -272,7 +272,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
// Issue warning on missing translation
// %.*s format specifier expects length of type int, so guarantee
// that length is small enough and cast to int.
- msg (M_WARN, "No valid translation found for TLS cipher '%.*s'",
+ msg (D_LOW, "No valid translation found for TLS cipher '%.*s'",
constrain_int(current_cipher_len, 0, 256), current_cipher);
}
else