diff options
| author | Matt Caswell <matt@openssl.org> | 2018-02-16 11:26:02 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-03-14 10:15:50 +0000 |
| commit | f865b08143b453962ad4afccd69e698d13c60f77 (patch) | |
| tree | 9d1a2ae3fabc63589815a2426456417ec1d14f33 /apps/ciphers.c | |
| parent | 5b68d1792021463b7cd5d76c82b251d61a56d869 (diff) | |
| download | openssl-f865b08143b453962ad4afccd69e698d13c60f77.zip openssl-f865b08143b453962ad4afccd69e698d13c60f77.tar.gz openssl-f865b08143b453962ad4afccd69e698d13c60f77.tar.bz2 | |
Split configuration of TLSv1.3 ciphers from older ciphers
With the current mechanism, old cipher strings that used to work in 1.1.0,
may inadvertently disable all TLSv1.3 ciphersuites causing connections to
fail. This is confusing for users.
In reality TLSv1.3 are quite different to older ciphers. They are much
simpler and there are only a small number of them so, arguably, they don't
need the same level of control that the older ciphers have.
This change splits the configuration of TLSv1.3 ciphers from older ones.
By default the TLSv1.3 ciphers are on, so you cannot inadvertently disable
them through your existing config.
Fixes #5359
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5392)
Diffstat (limited to 'apps/ciphers.c')
| -rw-r--r-- | apps/ciphers.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/apps/ciphers.c b/apps/ciphers.c index 4e8ffd1..0bb33a4 100644 --- a/apps/ciphers.c +++ b/apps/ciphers.c @@ -26,6 +26,7 @@ typedef enum OPTION_choice { OPT_TLS1_3, OPT_PSK, OPT_SRP, + OPT_CIPHERSUITES, OPT_V, OPT_UPPER_V, OPT_S } OPTION_CHOICE; @@ -57,6 +58,8 @@ const OPTIONS ciphers_options[] = { {"srp", OPT_SRP, '-', "include ciphersuites requiring SRP"}, #endif {"convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name"}, + {"ciphersuites", OPT_CIPHERSUITES, 's', + "Configure the TLSv1.3 ciphersuites to use"}, {NULL} }; @@ -91,7 +94,7 @@ int ciphers_main(int argc, char **argv) int srp = 0; #endif const char *p; - char *ciphers = NULL, *prog, *convert = NULL; + char *ciphers = NULL, *prog, *convert = NULL, *ciphersuites = NULL; char buf[512]; OPTION_CHOICE o; int min_version = 0, max_version = 0; @@ -153,6 +156,9 @@ int ciphers_main(int argc, char **argv) srp = 1; #endif break; + case OPT_CIPHERSUITES: + ciphersuites = opt_arg(); + break; } } argv = opt_rest(); @@ -185,6 +191,12 @@ int ciphers_main(int argc, char **argv) if (srp) SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp); #endif + + if (ciphersuites != NULL && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) { + BIO_printf(bio_err, "Error setting TLSv1.3 ciphersuites\n"); + goto err; + } + if (ciphers != NULL) { if (!SSL_CTX_set_cipher_list(ctx, ciphers)) { BIO_printf(bio_err, "Error in cipher list\n"); |