Created
February 19, 2020 13:17
-
-
Save schwabe/9aa88c7244ec70a475c34818e54243a4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 171e43142c82b6f0bf2cd5e4ce9265bb95527579 Mon Sep 17 00:00:00 2001 | |
From: Arne Schwabe <arne@rfc2549.org> | |
Date: Wed, 19 Feb 2020 14:16:10 +0100 | |
Subject: [PATCH] Use PROFILE=SYSTEM instead of DEFAULT for ssl ciphers on | |
RHEL/Fedora | |
There is a Redhat/Fedora policy that you should not use "DEFAULT" and | |
SSL_CTX_set_cipher_list as that overrides the system wide policies. | |
Dropping this call however on Fedora/Redhat would weaken our security | |
as we would then allow cipher suites which do not have forward secrecy | |
The acceptable workaround is to use "PROFILE=SYSTEM" instead of "DEFAULT" | |
Use the macro SSL_SYSTEM_DEFAULT_CIPHER_LIST defined by those operating | |
systems to use PROFILE=SYSTEM. | |
--- | |
openvpn/openssl/ssl/sslctx.hpp | 20 +++++++++++++++++++- | |
1 file changed, 19 insertions(+), 1 deletion(-) | |
diff --git a/openvpn/openssl/ssl/sslctx.hpp b/openvpn/openssl/ssl/sslctx.hpp | |
index 05f8db8b..d4e3e9fd 100644 | |
--- a/openvpn/openssl/ssl/sslctx.hpp | |
+++ b/openvpn/openssl/ssl/sslctx.hpp | |
@@ -1096,9 +1096,26 @@ namespace openvpn { | |
} | |
else | |
{ | |
+ /* | |
+ * There is a Redhat/Fedora policy that you should not use "DEFAULT" and | |
+ * SSL_CTX_set_cipher_list as that overrides the system wide policies. | |
+ * | |
+ * Dropping this call however on Fedora/Redhat would weaken our security | |
+ * as we would then allow cipher suites which do not have forward secrecy | |
+ * The acceptable workaround is to use "PROFILE=SYSTEM" instead of "DEFAULT" | |
+ * | |
+ * Use the macro SSL_SYSTEM_DEFAULT_CIPHER_LIST defined by those operating | |
+ * systems to use PROFILE=SYSTEM. | |
+ */ | |
+#if defined(SSL_SYSTEM_DEFAULT_CIPHER_LIST) | |
+#define OSSL_DEFAULT SSL_SYSTEM_DEFAULT_CIPHER_LIST | |
+#else | |
+#define OSSL_DEFAULT "DEFAULT" | |
+#endif | |
+ | |
if (!SSL_CTX_set_cipher_list(ctx, | |
/* default list as a basis */ | |
- "DEFAULT" | |
+ OSSL_DEFAULT | |
/* Disable export ciphers, low and medium */ | |
":!EXP:!LOW:!MEDIUM" | |
/* Disable static (EC)DH keys (no forward secrecy) */ | |
@@ -1115,6 +1132,7 @@ namespace openvpn { | |
":!SSLv2" | |
)) | |
OPENVPN_THROW(ssl_context_error, "OpenSSLContext: SSL_CTX_set_cipher_list failed"); | |
+#undef OSSL_DEFAULT | |
#if OPENSSL_VERSION_NUMBER >= 0x10002000L && OPENSSL_VERSION_NUMBER < 0x10100000L | |
SSL_CTX_set_ecdh_auto(ctx, 1); // this method becomes a no-op in OpenSSL 1.1 | |
#endif | |
-- | |
2.25.0 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment