diff options
| -rw-r--r-- | src/openvpn/init.c | 2 | ||||
| -rw-r--r-- | src/openvpn/ssl_backend.h | 4 | ||||
| -rw-r--r-- | src/openvpn/ssl_openssl.c | 15 | ||||
| -rw-r--r-- | src/openvpn/ssl_polarssl.c | 8 |
4 files changed, 20 insertions, 9 deletions
diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 7d33f21..52d370b 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -866,7 +866,7 @@ print_openssl_info (const struct options *options) show_available_engines (); #ifdef ENABLE_SSL if (options->show_tls_ciphers) - show_available_tls_ciphers (); + show_available_tls_ciphers (options->cipher_list); #endif return true; } diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 07cb9ab..54383fe 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -454,8 +454,10 @@ void print_details (struct key_state_ssl * ks_ssl, const char *prefix); /* * Show the TLS ciphers that are available for us to use in the OpenSSL * library. + * + * @param - list of allowed TLS cipher, or NULL. */ -void show_available_tls_ciphers (); +void show_available_tls_ciphers (const char *tls_ciphers); /* * The OpenSSL library has a notion of preference in TLS ciphers. Higher diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 350cd7f..f7313fe 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1284,23 +1284,26 @@ print_details (struct key_state_ssl * ks_ssl, const char *prefix) } void -show_available_tls_ciphers () +show_available_tls_ciphers (const char *cipher_list) { - SSL_CTX *ctx; + struct tls_root_ctx tls_ctx; SSL *ssl; const char *cipher_name; const char *print_name; const tls_cipher_name_pair *pair; int priority = 0; - ctx = SSL_CTX_new (SSLv23_method ()); - if (!ctx) + tls_ctx.ctx = SSL_CTX_new (SSLv23_method ()); + if (!tls_ctx.ctx) msg (M_SSLERR, "Cannot create SSL_CTX object"); - ssl = SSL_new (ctx); + ssl = SSL_new (tls_ctx.ctx); if (!ssl) msg (M_SSLERR, "Cannot create SSL object"); + if (cipher_list) + tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); + printf ("Available TLS Ciphers,\n"); printf ("listed in order of preference:\n\n"); while ((cipher_name = SSL_get_cipher_list (ssl, priority++))) @@ -1318,7 +1321,7 @@ show_available_tls_ciphers () printf ("\n"); SSL_free (ssl); - SSL_CTX_free (ctx); + SSL_CTX_free (tls_ctx.ctx); } void diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c index cdd9189..551c352 100644 --- a/src/openvpn/ssl_polarssl.c +++ b/src/openvpn/ssl_polarssl.c @@ -1033,10 +1033,16 @@ print_details (struct key_state_ssl * ks_ssl, const char *prefix) } void -show_available_tls_ciphers () +show_available_tls_ciphers (const char *cipher_list) { + struct tls_root_ctx tls_ctx; const int *ciphers = ssl_list_ciphersuites(); + if (cipher_list) { + tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); + ciphers = tls_ctx.allowed_ciphers; + } + #ifndef ENABLE_SMALL printf ("Available TLS Ciphers,\n"); printf ("listed in order of preference:\n\n"); |