Hi Arne, I haven't looked at the code, only at strings for now, and I'd like to pick a few nits.
Am 26.09.18 um 15:44 schrieb Arne Schwabe: > OpenSSL 1.1.1 introduces a seperate list for TLS 1.3 ciphers. As these > interfaces are meant to be user facing or not exposed at all and we > expose the tls-cipher interface, we should also expose tls-cipherlist. > [...] > index 15a10296..0b44a29d 100644 > --- a/doc/openvpn.8 > +++ b/doc/openvpn.8 > @@ -5001,11 +5001,13 @@ determines the derivation of the tunnel session keys. > .\"********************************************************* > .TP > .B \-\-tls\-cipher l > +.TQ > +.B \-\-tls\-ciphersuites l > A list > .B l > of allowable TLS ciphers delimited by a colon (":"). > > -This setting can be used to ensure that certain cipher suites are used (or > +These setting can be used to ensure that certain cipher suites are used (or These setting_s_ ... > not used) for the TLS connection. OpenVPN uses TLS to secure the control > channel, over which the keys that are used to protect the actual VPN traffic > are exchanged. > @@ -5014,13 +5016,24 @@ The supplied list of ciphers is (after potential > OpenSSL/IANA name translation) > simply supplied to the crypto library. Please see the OpenSSL and/or mbed > TLS > documentation for details on the cipher list interpretation. > > +For OpenSSL the add a comma before "the" > +.B \-\-tls-cipher > +is used for TLS 1.2 and below. For TLS 1.3 and up add a comma at the end. > +the > +.B \-\-tls\-ciphersuites > +setting is used. mbed TLS has no TLS 1.3 support yet and only the > +.B \-\-tls-cipher > +setting is used. > + > Use > .B \-\-show\-tls > to see a list of TLS ciphers supported by your crypto library. > > Warning! > .B \-\-tls\-cipher > -is an expert feature, which \- if used correcly \- can improve the security > of > +and > +.B \-\-tls\-ciphersuites > +are expert features, which \- if used correcly \- can improve the security of > your VPN connection. But it is also easy to unwittingly use it to carefully ...use _them_... > + msg(M_WARN, "mbed TLS does not support setting tls-ciphersuites. Ignoring > TLS 1.3 cipher list: %s", ciphers); > +} > + Is the blank between mbed and TLS right? Cheers, Matthias _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel