summaryrefslogtreecommitdiff
path: root/src/openvpn/ssl.c
diff options
context:
space:
mode:
authorBernhard Schmidt <Bernhard.Schmidt@lrz.de>2018-03-04 22:55:51 +0100
committerBernhard Schmidt <Bernhard.Schmidt@lrz.de>2018-03-04 22:55:51 +0100
commit4afa7ed562410a1170223a7bc06efb3708af6a36 (patch)
treeb895b41b7629c9a31de5cc15e7aa7805ddac87ce /src/openvpn/ssl.c
parenta6daf938f5f616a4a67caa6580b0c99e9a8c3779 (diff)
New upstream version 2.4.5upstream/2.4.5
Diffstat (limited to 'src/openvpn/ssl.c')
-rw-r--r--src/openvpn/ssl.c18
1 files changed, 14 insertions, 4 deletions
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 0739cf7..effb8b2 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -5,8 +5,8 @@
* packet encryption, packet authentication, and
* packet compression.
*
- * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
- * Copyright (C) 2010-2017 Fox Crypto B.V. <openvpn@fox-it.com>
+ * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
+ * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
* Copyright (C) 2008-2013 David Sommerseth <dazo@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
@@ -530,6 +530,10 @@ tls_version_parse(const char *vstr, const char *extra)
{
return TLS_VER_1_2;
}
+ else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version)
+ {
+ return TLS_VER_1_3;
+ }
else if (extra && !strcmp(extra, "or-highest"))
{
return max_version;
@@ -616,12 +620,18 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
tls_ctx_client_new(new_ctx);
}
+ /* Restrict allowed certificate crypto algorithms */
+ tls_ctx_set_cert_profile(new_ctx, options->tls_cert_profile);
+
/* Allowable ciphers */
/* Since @SECLEVEL also influces loading of certificates, set the
* cipher restrictions before loading certificates */
tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
- tls_ctx_set_options(new_ctx, options->ssl_flags);
+ if (!tls_ctx_set_options(new_ctx, options->ssl_flags))
+ {
+ goto err;
+ }
if (options->pkcs12_file)
{
@@ -3355,7 +3365,7 @@ tls_pre_decrypt(struct tls_multi *multi,
{
if (!ks->crypto_options.key_ctx_bi.initialized)
{
- msg(D_TLS_DEBUG_LOW,
+ msg(D_MULTI_DROPPED,
"Key %s [%d] not initialized (yet), dropping packet.",
print_link_socket_actual(from, &gc), key_id);
goto error_lite;