www.infradead.org Git - users/dwmw2/openconnect.git/commit

author	Daniel Lenski <dlenski@gmail.com>
	Fri, 22 Jan 2021 00:27:23 +0000 (16:27 -0800)
committer	Daniel Lenski <dlenski@gmail.com>
	Sat, 23 Jan 2021 00:50:44 +0000 (16:50 -0800)
commit	4e07eecaf04a48c3253a5dfd69d817673194e154
tree	54b5c3089bc7996b77e69d70675bf8014b20fb89	tree
parent	e5770db55a1aa331e5ef4ce68809e9b8653b5524	commit \| diff

with --allow-insecure-crypto, additionally attempt to disable insecure systemwide minimum crypto settings

Because openconnect_set_allow_insecure_crypto() now does more than just attempt to reenable 3DES and ARC4,
its failure to enable those ciphers should not be treated as fatal, but merely a warning.

Setting the appropriate environment variable (GNUTLS_SYSTEM_PRIORITY_FILE or OPENSSL_CONF) to `/dev/null`
*before* crypto library initialization should ensure that a systemwide crypto configuration file doesn't
set a minimum crypto requirement which would override the user choice.

See https://gitlab.com/openconnect/openconnect/-/issues/211#note_482161646 for discussion of GnuTLS
settings, and https://www.openssl.org/docs/man1.1.1/man5/config.html for OpenSSL.

FIXME: OpenSSL implementation needs library reinitialization.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

gnutls.c		diff \| blob \| history
library.c		diff \| blob \| history
main.c		diff \| blob \| history
openconnect-internal.h		diff \| blob \| history
openconnect.8.in		diff \| blob \| history
openssl.c		diff \| blob \| history