This explicitly disables a number of tls ciphers that OpenVPN has currently
no support for. OpenSSL will automatically detect this during negotiation,
but --show-tls would erroneously show a number of unsupported ciphers.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/ssl_openssl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index f079652..c7531d9 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -219,8 +219,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const
char *ciphers)
{
if (ciphers == NULL)
{
- /* Use sane default */
- if(!SSL_CTX_set_cipher_list(ctx->ctx, "DEFAULT:!EXP"))
+ /* Use sane default (disable export, and unsupported cipher modes) */
+ if(!SSL_CTX_set_cipher_list(ctx->ctx, "DEFAULT:!EXP:!PSK:!SRP"))
msg(M_SSLERR, "Failed to set default TLS cipher list.");
return;
}
--
1.8.3.2
