summaryrefslogtreecommitdiff
path: root/src/openvpn/ssl_backend.h
diff options
context:
space:
mode:
authorBernhard Schmidt <berni@debian.org>2019-02-20 14:11:51 +0100
committerBernhard Schmidt <berni@debian.org>2019-02-20 14:11:51 +0100
commit39ddb9cc8281bd239b94a3023da6329edb6718c1 (patch)
treedc6a8e7f1018f59f088c5b06b48eb24efe17f22d /src/openvpn/ssl_backend.h
parentd5078cc44b8919a25cb7507e9e6da1d66f25bb5b (diff)
parent87356242baf10c8b2a94d9013e436ed2a0dada53 (diff)
Update upstream source from tag 'upstream/2.4.7'
Update to upstream version '2.4.7' with Debian dir d01da6ef78dc8ce91265e8f319468f6c34d23af8
Diffstat (limited to 'src/openvpn/ssl_backend.h')
-rw-r--r--src/openvpn/ssl_backend.h25
1 files changed, 20 insertions, 5 deletions
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h
index e704de8..c614efa 100644
--- a/src/openvpn/ssl_backend.h
+++ b/src/openvpn/ssl_backend.h
@@ -171,7 +171,8 @@ bool tls_ctx_initialised(struct tls_root_ctx *ctx);
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags);
/**
- * Restrict the list of ciphers that can be used within the TLS context.
+ * Restrict the list of ciphers that can be used within the TLS context for TLS 1.2
+ * and below
*
* @param ctx TLS context to restrict, must be valid.
* @param ciphers String containing : delimited cipher names, or NULL to use
@@ -180,6 +181,16 @@ bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags);
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
/**
+ * Restrict the list of ciphers that can be used within the TLS context for TLS 1.3
+ * and higher
+ *
+ * @param ctx TLS context to restrict, must be valid.
+ * @param ciphers String containing : delimited cipher names, or NULL to use
+ * sane defaults.
+ */
+void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers);
+
+/**
* Set the TLS certificate profile. The profile defines which crypto
* algorithms may be used in the supplied certificate.
*
@@ -515,15 +526,19 @@ int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf,
void print_details(struct key_state_ssl *ks_ssl, const char *prefix);
/*
- * Show the TLS ciphers that are available for us to use in the OpenSSL
- * library.
+ * Show the TLS ciphers that are available for us to use in the
+ * library depending on the TLS version. This function prints
+ * a list of ciphers without headers/footers.
*
* @param cipher_list list of allowed TLS cipher, or NULL.
* @param tls_cert_profile TLS certificate crypto profile name.
+ * @param tls13 Select if <=TLS1.2 or TLS1.3+ ciphers
+ * should be shown
*/
void
-show_available_tls_ciphers(const char *cipher_list,
- const char *tls_cert_profile);
+show_available_tls_ciphers_list(const char *cipher_list,
+ const char *tls_cert_profile,
+ bool tls13);
/*
* Show the available elliptic curves in the crypto library