summaryrefslogtreecommitdiff
path: root/main/openvpn/src/openvpn/ssl_openssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'main/openvpn/src/openvpn/ssl_openssl.c')
-rw-r--r--main/openvpn/src/openvpn/ssl_openssl.c8
1 files changed, 2 insertions, 6 deletions
diff --git a/main/openvpn/src/openvpn/ssl_openssl.c b/main/openvpn/src/openvpn/ssl_openssl.c
index 68a1d591..0b63e260 100644
--- a/main/openvpn/src/openvpn/ssl_openssl.c
+++ b/main/openvpn/src/openvpn/ssl_openssl.c
@@ -219,8 +219,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
{
if (ciphers == NULL)
{
- /* Use sane default */
- if(!SSL_CTX_set_cipher_list(ctx->ctx, "DEFAULT:!EXP"))
+ /* Use sane default (disable export, and unsupported cipher modes) */
+ if(!SSL_CTX_set_cipher_list(ctx->ctx, "DEFAULT:!EXP:!PSK:!SRP"))
msg(M_SSLERR, "Failed to set default TLS cipher list.");
return;
}
@@ -848,11 +848,7 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
msg(M_WARN, "WARNING: experimental option --capath %s", ca_path);
else
msg(M_SSLERR, "Cannot add lookup at --capath %s", ca_path);
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
-#else
- msg(M_WARN, "WARNING: this version of OpenSSL cannot handle CRL files in capath");
-#endif
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-12 09:21:18 +0000