Hi,
On 21-08-17 23:09, Szilárd Pfeiffer wrote:
> * safe bet to say that server admins are better at updating their configs
> than client users are and if client do want to restrict their ciphers,
> they should simply evict the ciphers they don't want from their cipher
> suite
> * mbed TLS and OpenSSL behave more similar with the
> SSL_OP_CIPHER_SERVER_PREFERENCE flag
> ---
> src/openvpn/ssl_openssl.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> index 597c62d8..bb8098cc 100644
> --- a/src/openvpn/ssl_openssl.c
> +++ b/src/openvpn/ssl_openssl.c
> @@ -252,6 +252,9 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned
> int ssl_flags)
> {
> sslopt |= SSL_OP_NO_TLSv1_2;
> }
> +#endif
> +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
> + sslopt |= SSL_OP_CIPHER_SERVER_PREFERENCE;
> #endif
> sslopt |= SSL_OP_NO_COMPRESSION;
> SSL_CTX_set_options(ctx->ctx, sslopt);
>
The indent is one space short, but that can be fixed when applying the
patch.
Other that that, this looks good. ACK.
-Steffan
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
