openssl: allow ALL ciphers when allow-insecure-crypto is enabled

Previously, the cipher list was set to "DEFAULT:+3DES:+RC4". However,
according to ciphers(1), the DEFAULT keyword cannot be combined with
other strings using the + characters. In other words, ":+3DES:+RC4" gets
ignored.

The user is opting into insecure behavior, so let's keep it simple and
just allow everything.

This change fixes the obsolete-server-crypto test when openconnect is
built against openssl-1.1.x.

Signed-off-by: Mike Gilbert <floppym@gentoo.org>

diff --git a/openssl.c b/openssl.c
index 3205dbd7d638a05e83cdc83aee0ef941bb653e10..2bf594e740c368681b5b2e983479bbaccca8be01 100644 (file)
--- a/openssl.c
+++ b/openssl.c
@@ -1868,13 +1868,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
                        struct oc_text_buf *buf = buf_alloc();
                        if (vpninfo->pfs)
                                buf_append(buf, "HIGH:!aNULL:!eNULL:-RSA");
+                       else if (vpninfo->allow_insecure_crypto)
+                               buf_append(buf, "ALL");
                        else
-                               buf_append(buf, "DEFAULT");
-
-                       if (vpninfo->allow_insecure_crypto)
-                               buf_append(buf, ":+3DES:+RC4");
-                       else
-                               buf_append(buf, ":-3DES:-RC4");
+                               buf_append(buf, "DEFAULT:-3DES:-RC4");
 
                        if (buf_error(buf)) {
                                vpn_progress(vpninfo, PRG_ERR,