OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This can
be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only if the
cipher list is set before loading the certificates. This patch changes the
order of loading.
---
src/openvpn/ssl.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 29280dce..9ca300c0 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -616,6 +616,11 @@ init_ssl(const struct options *options, struct
tls_root_ctx *new_ctx)
tls_ctx_client_new(new_ctx);
}
+ /* Allowable ciphers */
+ /* Since @SECLEVEL also influces loading of certificates, set the
+ * cipher restrictions before loading certificates */
+ tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
+
tls_ctx_set_options(new_ctx, options->ssl_flags);
if (options->pkcs12_file)
@@ -708,9 +713,6 @@ init_ssl(const struct options *options, struct tls_root_ctx
*new_ctx)
tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
}
- /* Allowable ciphers */
- tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
-
#ifdef ENABLE_CRYPTO_MBEDTLS
/* Personalise the random by mixing in the certificate */
tls_ctx_personalise_random(new_ctx);
--
2.11.0 (Apple Git-81)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
