[Openvpn-devel] [PATCH 6/6] Disable export ciphers by default for OpenSSL builds.

Steffan Karger Wed, 01 Jan 2014 20:33:11 +0000

Export ciphers are deliberately weak ciphers, and not fully supported by
OpenVPN since ephemeral RSA support has been removed a few commits ago.
This commit removes them from the default cipher list to avoid confusion.


PolarSSL does not support export ciphers, so no action required there.

Signed-off-by: Steffan Karger <stef...@karger.me>
---
 src/openvpn/ssl_openssl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 5f6c270..9dced72 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -219,7 +219,9 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const 
char *ciphers)
 {
   if (ciphers == NULL)
     {
-      /* Nothing to do */
+      /* Use sane default */
+      if(!SSL_CTX_set_cipher_list(ctx->ctx, "DEFAULT:!EXP"))
+        msg(M_SSLERR, "Failed to set default TLS cipher list.");
       return;
     }
   else
-- 
1.8.3.2

[Openvpn-devel] [PATCH 6/6] Disable export ciphers by default for OpenSSL builds.

Reply via email to