* safe bet to say that server admins are better at updating their configs
than client users are and if client do want to restrict their ciphers,
they should simply evict the ciphers they don't want from their cipher
suite
* mbed TLS and OpenSSL behave more similar with the
SSL_OP_CIPHER_SERVER_PREFERENCE flag
---
src/openvpn/ssl_openssl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 597c62d8..bb8098cc 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -252,6 +252,9 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int
ssl_flags)
{
sslopt |= SSL_OP_NO_TLSv1_2;
}
+#endif
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+ sslopt |= SSL_OP_CIPHER_SERVER_PREFERENCE;
#endif
sslopt |= SSL_OP_NO_COMPRESSION;
SSL_CTX_set_options(ctx->ctx, sslopt);
--
2.14.1
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
