diff options
| author | Steffan Karger <steffan@karger.me> | 2014-01-01 21:10:26 +0100 |
|---|---|---|
| committer | Gert Doering <gert@greenie.muc.de> | 2014-01-05 18:41:54 +0100 |
| commit | 56ab21091c0f1e07d0a6ef7815160f6ae072498d (patch) | |
| tree | d7cf67234ea29778ce4e23375653a1fad2067d27 /src/openvpn/ssl_openssl.c | |
| parent | e83313a8ba92684a660c9d78c536699f67dcdf63 (diff) | |
| download | openvpn-56ab21091c0f1e07d0a6ef7815160f6ae072498d.tar.gz openvpn-56ab21091c0f1e07d0a6ef7815160f6ae072498d.tar.xz openvpn-56ab21091c0f1e07d0a6ef7815160f6ae072498d.zip | |
Disable export ciphers by default for OpenSSL builds.
Export ciphers are deliberately weak ciphers, and not fully supported by
OpenVPN since ephemeral RSA support has been removed a few commits ago.
This commit removes them from the default cipher list to avoid confusion.
PolarSSL does not support export ciphers, so no action required there.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-7-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8146
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/ssl_openssl.c')
| -rw-r--r-- | src/openvpn/ssl_openssl.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 7ad7eab..f079652 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -219,7 +219,9 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) { if (ciphers == NULL) { - /* Nothing to do */ + /* Use sane default */ + if(!SSL_CTX_set_cipher_list(ctx->ctx, "DEFAULT:!EXP")) + msg(M_SSLERR, "Failed to set default TLS cipher list."); return; } |