Bundle lz4.c and lz4.h from http://code.google.com/p/lz4/ (r109) as
src/compat/compat-lz4.[ch], and use that (via #define NEED_COMPAT_LZ4)
if autoconf cannot find lz4.h or -llz4 in the system.
Signed-off-by: Gert Doering
---
configure.ac| 5 +-
Implement LZ4 compression, similar to the existing snappy / push-peer-info
model: a LZ4 capable client will send IV_LZ4=1 to the server, and the
algorithm is selected by pushing "compress lz4" back.
LZ4 does not compress as well as LZO or Snappy, but needs far less CPU
and is much faster, thus
This code would not really generate ephemeral keys every time it is called,
but a single key that would be reused during process lifetime and returned
each time the function was called; probably not what users would expect.
TLS allowes ephemeral keys to be used only when no other key exchange,
This diff look like a lot has changed, but this just adds some ifs to check
for NULL in tls_ctx_restrict_ciphers() to prepare for disabling export
ciphers by default in OpenVPN 2.4+.
Signed-off-by: Steffan Karger
---
src/openvpn/ssl.c | 5 +-
This allows to check the available TLS ciphers for a specific configuration
by supplying both --tls-cipher and --show-tls options.
Signed-off-by: Steffan Karger
---
src/openvpn/init.c | 2 +-
src/openvpn/ssl_backend.h | 4 +++-
src/openvpn/ssl_openssl.c | 15
Hi,
This patch set is meant to remove ephemeral RSA support from the master branch,
and disable (weak) export ciphers by default. While coding I came along some
other stuff I fixed along the way:
1/6: Update two old calls to TSLv1*() functions to SSLv23*() function, matching
the TLS
Commit 4b67f98 changed calls to TLSv1_{sever,client}_method() to
SSLv23_{client,server}_method() to enable TLS version negotiation. This
commit does the same for two calls of TLSv1_method() from support code.
Signed-off-by: Steffan Karger
---
src/openvpn/ssl_openssl.c | 4
Commit 4b67f98 changed call to TLSv1_{client,server}_method() to
SSLv23_{client,server}_method(), this commit updates the corresponding
error messages to match the changes in the code.
Signed-off-by: Steffan Karger
---
src/openvpn/ssl_openssl.c | 4 ++--
1 file changed, 2
Export ciphers are deliberately weak ciphers, and not fully supported by
OpenVPN since ephemeral RSA support has been removed a few commits ago.
This commit removes them from the default cipher list to avoid confusion.
PolarSSL does not support export ciphers, so no action required there.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
On 30-12-13 21:50, Gert Doering wrote:
> Could I ask you to provide a patch to remove this for 2.4?
Sure. I fixed some extra stuff along the way, I'll send a patch set in
a minute.
- -Steffan
-BEGIN PGP SIGNATURE-
Version: GnuPG
10 matches
Mail list logo