Export ciphers are deliberately weak ciphers, and not fully supported by OpenVPN since ephemeral RSA support has been removed a few commits ago. This commit removes them from the default cipher list to avoid confusion.
PolarSSL does not support export ciphers, so no action required there. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/ssl_openssl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 5f6c270..9dced72 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -219,7 +219,9 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) { if (ciphers == NULL) { - /* Nothing to do */ + /* Use sane default */ + if(!SSL_CTX_set_cipher_list(ctx->ctx, "DEFAULT:!EXP")) + msg(M_SSLERR, "Failed to set default TLS cipher list."); return; } else -- 1.8.3.2