Arne Schwabe <a...@rfc2549.org> on Mon, 2017/06/26 13:13: > OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This > can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only > if the cipher list is set before loading the certificates. This patch > changes the order of loading. --- src/openvpn/ssl.c | 8 +++++--- 1 file > changed, 5 insertions(+), 3 deletions(-) > > diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c > index 29280dce..9ca300c0 100644 > --- a/src/openvpn/ssl.c > +++ b/src/openvpn/ssl.c > @@ -616,6 +616,11 @@ init_ssl(const struct options *options, struct > tls_root_ctx *new_ctx) tls_ctx_client_new(new_ctx); > } > > + /* Allowable ciphers */ > + /* Since @SECLEVEL also influces loading of certificates, set the > + * cipher restrictions before loading certificates */ > + tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); > + > tls_ctx_set_options(new_ctx, options->ssl_flags); > > if (options->pkcs12_file) > @@ -708,9 +713,6 @@ init_ssl(const struct options *options, struct > tls_root_ctx *new_ctx) tls_ctx_load_ecdh_params(new_ctx, > options->ecdh_curve); } > > - /* Allowable ciphers */ > - tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); > - > #ifdef ENABLE_CRYPTO_MBEDTLS > /* Personalise the random by mixing in the certificate */ > tls_ctx_personalise_random(new_ctx);
Looks good and tested on a server with CA and server certificates using MD5.
So ACK.
--
main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];)
putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
pgptqL06D6ltb.pgp
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
