summaryrefslogtreecommitdiff
path: root/src/openvpn/ssl_openssl.c
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2015-06-30 08:22:29 +0200
committerAlberto Gonzalez Iniesta <agi@inittab.org>2015-06-30 08:22:29 +0200
commit6149d88c5a2c58a9cc943ca02c36e8ee4e5d1751 (patch)
tree0fdc36dba5e216faf7ade9d7b327090b4a20bd2b /src/openvpn/ssl_openssl.c
parent63862ed15e1abb4b29c5a43b469321c928613c62 (diff)
Imported Upstream version 2.3.7upstream/2.3.7
Diffstat (limited to 'src/openvpn/ssl_openssl.c')
-rw-r--r--src/openvpn/ssl_openssl.c39
1 files changed, 26 insertions, 13 deletions
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index e77b736..be33caa 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -121,14 +121,15 @@ tmp_rsa_cb (SSL * s, int is_export, int keylength)
void
tls_ctx_server_new(struct tls_root_ctx *ctx, unsigned int ssl_flags)
{
- const int tls_version_min = (ssl_flags >> SSLF_TLS_VERSION_SHIFT) & SSLF_TLS_VERSION_MASK;
+ const int tls_version_max =
+ (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
ASSERT(NULL != ctx);
- if (tls_version_min > TLS_VER_UNSPEC)
- ctx->ctx = SSL_CTX_new (SSLv23_server_method ());
- else
+ if (tls_version_max == TLS_VER_1_0)
ctx->ctx = SSL_CTX_new (TLSv1_server_method ());
+ else
+ ctx->ctx = SSL_CTX_new (SSLv23_server_method ());
if (ctx->ctx == NULL)
msg (M_SSLERR, "SSL_CTX_new SSLv23_server_method");
@@ -139,14 +140,15 @@ tls_ctx_server_new(struct tls_root_ctx *ctx, unsigned int ssl_flags)
void
tls_ctx_client_new(struct tls_root_ctx *ctx, unsigned int ssl_flags)
{
- const int tls_version_min = (ssl_flags >> SSLF_TLS_VERSION_SHIFT) & SSLF_TLS_VERSION_MASK;
+ const int tls_version_max =
+ (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
ASSERT(NULL != ctx);
- if (tls_version_min > TLS_VER_UNSPEC)
- ctx->ctx = SSL_CTX_new (SSLv23_client_method ());
- else
+ if (tls_version_max == TLS_VER_1_0)
ctx->ctx = SSL_CTX_new (TLSv1_client_method ());
+ else
+ ctx->ctx = SSL_CTX_new (SSLv23_client_method ());
if (ctx->ctx == NULL)
msg (M_SSLERR, "SSL_CTX_new SSLv23_client_method");
@@ -218,17 +220,28 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)
/* process SSL options including minimum TLS version we will accept from peer */
{
long sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
- const int tls_version_min = (ssl_flags >> SSLF_TLS_VERSION_SHIFT) & SSLF_TLS_VERSION_MASK;
- if (tls_version_min > TLS_VER_1_0)
+ const int tls_ver_min =
+ (ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK;
+ int tls_ver_max =
+ (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
+
+ if (tls_ver_max <= TLS_VER_UNSPEC)
+ tls_ver_max = tls_version_max();
+
+ if (tls_ver_min > TLS_VER_1_0 || tls_ver_max < TLS_VER_1_0)
sslopt |= SSL_OP_NO_TLSv1;
#ifdef SSL_OP_NO_TLSv1_1
- if (tls_version_min > TLS_VER_1_1)
+ if (tls_ver_min > TLS_VER_1_1 || tls_ver_max < TLS_VER_1_1)
sslopt |= SSL_OP_NO_TLSv1_1;
#endif
#ifdef SSL_OP_NO_TLSv1_2
- if (tls_version_min > TLS_VER_1_2)
+ if (tls_ver_min > TLS_VER_1_2 || tls_ver_max < TLS_VER_1_2)
sslopt |= SSL_OP_NO_TLSv1_2;
#endif
+#ifdef SSL_OP_NO_COMPRESSION
+ /* Disable compression - flag not available in OpenSSL 0.9.8 */
+ sslopt |= SSL_OP_NO_COMPRESSION;
+#endif
SSL_CTX_set_options (ctx->ctx, sslopt);
}
@@ -1327,7 +1340,7 @@ show_available_tls_ciphers (const char *cipher_list)
}
}
- printf ("\n");
+ printf ("\n" SHOW_TLS_CIPHER_LIST_WARNING);
SSL_free (ssl);
SSL_CTX_free (tls_ctx.ctx);