diff options
author | Bernhard Schmidt <Bernhard.Schmidt@lrz.de> | 2018-03-04 22:55:51 +0100 |
---|---|---|
committer | Bernhard Schmidt <Bernhard.Schmidt@lrz.de> | 2018-03-04 22:55:51 +0100 |
commit | 4afa7ed562410a1170223a7bc06efb3708af6a36 (patch) | |
tree | b895b41b7629c9a31de5cc15e7aa7805ddac87ce /src/openvpn/ssl.c | |
parent | a6daf938f5f616a4a67caa6580b0c99e9a8c3779 (diff) |
New upstream version 2.4.5upstream/2.4.5
Diffstat (limited to 'src/openvpn/ssl.c')
-rw-r--r-- | src/openvpn/ssl.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 0739cf7..effb8b2 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -5,8 +5,8 @@ * packet encryption, packet authentication, and * packet compression. * - * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net> - * Copyright (C) 2010-2017 Fox Crypto B.V. <openvpn@fox-it.com> + * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> + * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com> * Copyright (C) 2008-2013 David Sommerseth <dazo@users.sourceforge.net> * * This program is free software; you can redistribute it and/or modify @@ -530,6 +530,10 @@ tls_version_parse(const char *vstr, const char *extra) { return TLS_VER_1_2; } + else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version) + { + return TLS_VER_1_3; + } else if (extra && !strcmp(extra, "or-highest")) { return max_version; @@ -616,12 +620,18 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) tls_ctx_client_new(new_ctx); } + /* Restrict allowed certificate crypto algorithms */ + tls_ctx_set_cert_profile(new_ctx, options->tls_cert_profile); + /* Allowable ciphers */ /* Since @SECLEVEL also influces loading of certificates, set the * cipher restrictions before loading certificates */ tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); - tls_ctx_set_options(new_ctx, options->ssl_flags); + if (!tls_ctx_set_options(new_ctx, options->ssl_flags)) + { + goto err; + } if (options->pkcs12_file) { @@ -3355,7 +3365,7 @@ tls_pre_decrypt(struct tls_multi *multi, { if (!ks->crypto_options.key_ctx_bi.initialized) { - msg(D_TLS_DEBUG_LOW, + msg(D_MULTI_DROPPED, "Key %s [%d] not initialized (yet), dropping packet.", print_link_socket_actual(from, &gc), key_id); goto error_lite; |