@@ -1034,6 +1034,7 @@ print_openssl_info(const struct options *options)

         if (options->show_tls_ciphers)

         {

             show_available_tls_ciphers(options->cipher_list,

+                                       options->cipher_list_tls13,

                                        options->tls_cert_profile);

         }

         if (options->show_curves)

@@ -4116,6 +4116,30 @@ tls_check_ncp_cipher_list(const char *list)

     return 0 < strlen(list) && !unsupported_cipher_found;

 }

+void

+show_available_tls_ciphers(const char *cipher_list,

+                           const char *cipher_list_tls13,

+                           const char *tls_cert_profile)

+{

+    printf("Available TLS Ciphers, listed in order of preference:\n");

+

+#if (ENABLE_CRYPTO_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x1010100fL)

+    printf("\nFor TLS 1.3 and newer (--tls-ciphersuites):\n\n");

+    show_available_tls_ciphers_list(cipher_list_tls13, tls_cert_profile, true);

+#else

+    (void) cipher_list_tls13;  /* Avoid unused warning */

+#endif

+

+    printf("\nFor TLS 1.2 and older (--tls-cipher):\n\n");

+    show_available_tls_ciphers_list(cipher_list, tls_cert_profile, false);

+

+    printf("\n"

+    "Be aware that that whether a cipher suite in this list can actually work\n"

+    "depends on the specific setup of both peers. See the man page entries of\n"

+    "--tls-cipher and --show-tls for more details.\n\n"

+    );

+}

+

 /*

  * Dump a human-readable rendition of an openvpn packet

  * into a garbage collectable string which is returned.

@@ -598,4 +598,18 @@ bool is_hard_reset(int op, int key_method);

 void delayed_auth_pass_purge(void);

+

+/*

+ * Show the TLS ciphers that are available for us to use in the SSL

+ * library with headers hinting their usage and warnings about usage.

+ *

+ * @param cipher_list       list of allowed TLS cipher, or NULL.

+ * @param cipher_list_tls13 list of allowed TLS 1.3+ cipher, or NULL

+ * @param tls_cert_profile  TLS certificate crypto profile name.

+ */

+void

+show_available_tls_ciphers(const char *cipher_list,

+                           const char *cipher_list_tls13,

+                           const char *tls_cert_profile);

+

 #endif /* ifndef OPENVPN_SSL_H */

@@ -517,15 +517,19 @@ int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf,

 void print_details(struct key_state_ssl *ks_ssl, const char *prefix);

 /*

- * Show the TLS ciphers that are available for us to use in the OpenSSL

- * library.

+ * Show the TLS ciphers that are available for us to use in the

+ * library depending on the TLS version. This function prints

+ * a list of ciphers without headers/footers.

  *

  * @param cipher_list       list of allowed TLS cipher, or NULL.

  * @param tls_cert_profile  TLS certificate crypto profile name.

+ * @param tls13             Select if <=TLS1.2 or TLS1.3+ ciphers

+ *                          should be shown

  */

 void

-show_available_tls_ciphers(const char *cipher_list,

-                           const char *tls_cert_profile);

+show_available_tls_ciphers_list(const char *cipher_list,

+                                const char *tls_cert_profile,

+                                bool tls13);

 /*

  * Show the available elliptic curves in the crypto library

@@ -554,10 +554,4 @@ struct tls_multi

      *   sessions with the remote peer. */

 };

-

-#define SHOW_TLS_CIPHER_LIST_WARNING \

-    "Be aware that that whether a cipher suite in this list can actually work\n" \

-    "depends on the specific setup of both peers. See the man page entries of\n" \

-    "--tls-cipher and --show-tls for more details.\n\n"

-

 #endif /* SSL_COMMON_H_ */

@@ -1340,9 +1340,15 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix)

 }

 void

-show_available_tls_ciphers(const char *cipher_list,

-                           const char *tls_cert_profile)

+show_available_tls_ciphers_list(const char *cipher_list,

+                                const char *tls_cert_profile,

+                                bool tls13)

 {

+    if (tls13)

+    {

+        /* mbed TLS has no TLS 1.3 support currently */

+        return;

+    }

     struct tls_root_ctx tls_ctx;

     const int *ciphers = mbedtls_ssl_list_ciphersuites();

@@ -1355,18 +1361,11 @@ show_available_tls_ciphers(const char *cipher_list,

         ciphers = tls_ctx.allowed_ciphers;

     }

-#ifndef ENABLE_SMALL

-    printf("Available TLS Ciphers,\n");

-    printf("listed in order of preference:\n\n");

-#endif

-

     while (*ciphers != 0)

     {

         printf("%s\n", mbedtls_ssl_get_ciphersuite_name(*ciphers));

         ciphers++;

     }

-    printf("\n" SHOW_TLS_CIPHER_LIST_WARNING);

-

     tls_ctx_free(&tls_ctx);

 }

@@ -60,6 +60,7 @@

 #include <openssl/pkcs12.h>

 #include <openssl/rsa.h>

 #include <openssl/x509.h>

+#include <openssl/ssl.h>

 #ifndef OPENSSL_NO_EC

 #include <openssl/ec.h>

 #endif

@@ -428,7 +429,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)

 }

 void

-convert_tls13_list_to_openssl(char* openssl_ciphers, size_t len, const char *ciphers)

+convert_tls13_list_to_openssl(char *openssl_ciphers, size_t len,

+                              const char *ciphers)

 {

     /*

      * OpenSSL (and official IANA) cipher names have _ in them. We

@@ -1984,14 +1986,11 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix)

 }

 void

-show_available_tls_ciphers(const char *cipher_list,

-                           const char *tls_cert_profile)

+show_available_tls_ciphers_list(const char *cipher_list,

+                                const char *tls_cert_profile,

+                                const bool tls13)

 {

     struct tls_root_ctx tls_ctx;

-    SSL *ssl;

-    const char *cipher_name;

-    const tls_cipher_name_pair *pair;

-    int priority = 0;

     tls_ctx.ctx = SSL_CTX_new(SSLv23_method());

     if (!tls_ctx.ctx)

@@ -1999,22 +1998,45 @@ show_available_tls_ciphers(const char *cipher_list,

         crypto_msg(M_FATAL, "Cannot create SSL_CTX object");

     }

-    ssl = SSL_new(tls_ctx.ctx);

-    if (!ssl)

+#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL)

+    if (tls13)

     {

-        crypto_msg(M_FATAL, "Cannot create SSL object");

+        SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION);

+    }

+    else

+#endif

+    {

+        SSL_CTX_set_max_proto_version(tls_ctx.ctx, TLS1_2_VERSION);

     }

     tls_ctx_set_cert_profile(&tls_ctx, tls_cert_profile);

     tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);

-    printf("Available TLS Ciphers,\n");

-    printf("listed in order of preference:\n\n");

-    while ((cipher_name = SSL_get_cipher_list(ssl, priority++)))

+    SSL *ssl = SSL_new(tls_ctx.ctx);

+    if (!ssl)

+    {

+        crypto_msg(M_FATAL, "Cannot create SSL object");

+    }

+

+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL)

+    STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);

+#else

+    STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);

+#endif

+    for (int i=0;i < sk_SSL_CIPHER_num(sk);i++)

     {

-        pair = tls_get_cipher_name_pair(cipher_name, strlen(cipher_name));

+        const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);

+

+        const char *cipher_name = SSL_CIPHER_get_name(c);

+

+        const tls_cipher_name_pair *pair =

+            tls_get_cipher_name_pair(cipher_name, strlen(cipher_name));

-        if (NULL == pair)

+        if (tls13)

+        {

+              printf("%s\n", cipher_name);

+        }

+        else if (NULL == pair)

         {

             /* No translation found, print warning */

             printf("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", cipher_name);

@@ -2023,10 +2045,10 @@ show_available_tls_ciphers(const char *cipher_list,

         {

             printf("%s\n", pair->iana_name);

         }

-

     }

-    printf("\n" SHOW_TLS_CIPHER_LIST_WARNING);

-

+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)

+    sk_SSL_CIPHER_free(sk);

+#endif

     SSL_free(ssl);

     SSL_CTX_free(tls_ctx.ctx);

 }