From 56ab21091c0f1e07d0a6ef7815160f6ae072498d Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Wed, 1 Jan 2014 21:10:26 +0100
Subject: Disable export ciphers by default for OpenSSL builds.

Export ciphers are deliberately weak ciphers, and not fully supported by
OpenVPN since ephemeral RSA support has been removed a few commits ago.
This commit removes them from the default cipher list to avoid confusion.

PolarSSL does not support export ciphers, so no action required there.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-7-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8146
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/ssl_openssl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src/openvpn')

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 7ad7eab..f079652 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -219,7 +219,9 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
 {
   if (ciphers == NULL)
     {
-      /* Nothing to do */
+      /* Use sane default */
+      if(!SSL_CTX_set_cipher_list(ctx->ctx, "DEFAULT:!EXP"))
+        msg(M_SSLERR, "Failed to set default TLS cipher list.");
       return;
     }
 
-- 
cgit