On 19/10/2021 20:31, Arne Schwabe wrote:
With OpenSSL 3.0 the use of nid values is deprecated and new algorithms
do not even have NID values anymore.
This also works nicely with providers now:
openvpn --provider legacy:default --show-ciphers
shows more ciphers (e.g. BF-CBC) than just
openvpn --show-ciphers
when compiled with OpenSSL 3.0
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
Looks good, and the tests work with OpenSSL 3 and OpenSSL 1.1.1 when I
also apply the "Do not allow CTS ciphers" patch.
One nitpick:
+struct collect_ciphers {
+ /* If we ever exceed this, we must be more selective */
+ const EVP_CIPHER *list[1000];
+ size_t num;
+};
+
+static void collect_ciphers(EVP_CIPHER *cipher, void *list)
+{
+ struct collect_ciphers* cipher_list = list;
+ if (cipher_list->num ==
(sizeof(cipher_list->list)/sizeof(*cipher_list->list)))
+ {
+ msg(M_WARN, "WARNING: Too many ciphers, not showing all");
+ return;
+ }
I think it would be more readable to use a const (or a #define) for the
length of the cipher list array, instead of using sizeof.
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
