The last version of the patch used the TLS1.2 version
tls_ctx_restrict_ciphers to set the restrictions for both
TLS 1.3 and TLS1.2 instead of using tls_ctx_restrict_ciphers_tls13
for TLS1.3.
Also fix minor style problem while I am touching the function
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181011220639.7316-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17755.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -2002,15 +2002,16 @@ show_available_tls_ciphers_list(const char *cipher_list, |
2002 | 2002 |
if (tls13) |
2003 | 2003 |
{ |
2004 | 2004 |
SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION); |
2005 |
+ tls_ctx_restrict_ciphers_tls13(&tls_ctx, cipher_list); |
|
2005 | 2006 |
} |
2006 | 2007 |
else |
2007 | 2008 |
#endif |
2008 | 2009 |
{ |
2009 | 2010 |
SSL_CTX_set_max_proto_version(tls_ctx.ctx, TLS1_2_VERSION); |
2011 |
+ tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); |
|
2010 | 2012 |
} |
2011 | 2013 |
|
2012 | 2014 |
tls_ctx_set_cert_profile(&tls_ctx, tls_cert_profile); |
2013 |
- tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); |
|
2014 | 2015 |
|
2015 | 2016 |
SSL *ssl = SSL_new(tls_ctx.ctx); |
2016 | 2017 |
if (!ssl) |
... | ... |
@@ -2039,7 +2040,8 @@ show_available_tls_ciphers_list(const char *cipher_list, |
2039 | 2039 |
else if (NULL == pair) |
2040 | 2040 |
{ |
2041 | 2041 |
/* No translation found, print warning */ |
2042 |
- printf("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", cipher_name); |
|
2042 |
+ printf("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", |
|
2043 |
+ cipher_name); |
|
2043 | 2044 |
} |
2044 | 2045 |
else |
2045 | 2046 |
{ |