Your patch has been applied to the master and release/2.4 branch
(long term compatibility).
I had to fix one minor bit - it prints
For TLS 1.3 and newer (--tls-ciphersuite):
but that option is called "--tls-ciphersuites"...
I am not really able to make sense of it, though. If I try to specify
a TLS 1.3 ciphersuite, to see if it has any effect, all I get is errors
in the log ("no valid translation"), and no effect... so maybe something
with the --tls-ciphersuites patch is wrong, and this one is only
exposing it?
Arne, Steffan, could you have a look? This is "master" with OpenSSL 1.1.1:
$ src/openvpn/openvpn --verb 4 --tls-ciphersuites TLS_AES_256_GCM_SHA384
--show-tls --tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
Available TLS Ciphers, listed in order of preference:
For TLS 1.3 and newer (--tls-ciphersuite):
Thu Oct 11 20:32:44 2018 us=310005 No valid translation found for TLS cipher
'TLS_AES_256_GCM_SHA384'
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
For TLS 1.2 and older (--tls-cipher):
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
.. so "--tls-cipher" is definitely sticking, while "--tls-ciphersuites"
leads to a confusing warning (if --verb is high enough), listing the very
same cipher(suite) in the next line...?
commit 7aeabadd69fca0071152c42d58fee0b565f01eb3 (master)
commit e8467c8648f699b221004a9f15d48b8e558049f0 (release/2.4)
Author: Arne Schwabe
Date: Wed Oct 10 17:36:24 2018 +0200
Add better support for showing TLS 1.3 ciphersuites in --show-tls
Signed-off-by: Arne Schwabe <[email protected]>
Acked-by: Steffan Karger <[email protected]>
Message-Id: <[email protected]>
URL:
https://www.mail-archive.com/[email protected]/msg17723.html
Signed-off-by: Gert Doering <[email protected]>
--
kind regards,
Gert Doering
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
