1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
From e2b38313bbd5050acaac49a75f0a024d05b505e5 Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppym@gentoo.org>
Date: Sun, 10 Apr 2022 12:21:57 -0400
Subject: [PATCH] openssl: allow ALL ciphers when allow-insecure-crypto is
enabled
Previously, the cipher list was set to "DEFAULT:+3DES:+RC4". However,
according to ciphers(1), the DEFAULT keyword cannot be combined with
other strings using the + characters. In other words, ":+3DES:+RC4" gets
ignored.
The user is opting into insecure behavior, so let's keep it simple and
just allow everything.
This change fixes the obsolete-server-crypto test when openconnect is
built against openssl-1.1.x.
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---
openssl.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/openssl.c b/openssl.c
index 3205dbd7..2bf594e7 100644
--- a/openssl.c
+++ b/openssl.c
@@ -1868,13 +1868,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
struct oc_text_buf *buf = buf_alloc();
if (vpninfo->pfs)
buf_append(buf, "HIGH:!aNULL:!eNULL:-RSA");
+ else if (vpninfo->allow_insecure_crypto)
+ buf_append(buf, "ALL");
else
- buf_append(buf, "DEFAULT");
-
- if (vpninfo->allow_insecure_crypto)
- buf_append(buf, ":+3DES:+RC4");
- else
- buf_append(buf, ":-3DES:-RC4");
+ buf_append(buf, "DEFAULT:-3DES:-RC4");
if (buf_error(buf)) {
vpn_progress(vpninfo, PRG_ERR,
--
2.35.1
|