From bd7d9fa8a7034dd6025496ae0327d3aee2f63ac4 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Mon, 3 Oct 2016 21:49:27 +0100 Subject: [PATCH] Enable DHE ciphers for Cisco DTLS Tested-by: Peter Brant Signed-off-by: David Woodhouse --- gnutls-dtls.c | 4 ++++ openssl-dtls.c | 1 + www/changelog.xml | 1 + 3 files changed, 6 insertions(+) diff --git a/gnutls-dtls.c b/gnutls-dtls.c index 07cb8f4a..3017cefb 100644 --- a/gnutls-dtls.c +++ b/gnutls-dtls.c @@ -58,6 +58,10 @@ struct { const char *prio; const char *min_gnutls_version; } gnutls_dtls_ciphers[] = { + { "DHE-RSA-AES128-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA, GNUTLS_MAC_SHA1, + "NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-128-CBC:+SHA1:+DHE-RSA:%COMPAT", "3.0.0" }, + { "DHE-RSA-AES256-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA, GNUTLS_MAC_SHA1, + "NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-256-CBC:+SHA1:+DHE-RSA:%COMPAT", "3.0.0" }, { "AES128-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, "NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-128-CBC:+SHA1:+RSA:%COMPAT", "3.0.0" }, { "AES256-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, diff --git a/openssl-dtls.c b/openssl-dtls.c index ede21b54..89fce646 100644 --- a/openssl-dtls.c +++ b/openssl-dtls.c @@ -537,6 +537,7 @@ void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *b #endif buf_append(buf, "OC-DTLS1_2-AES256-GCM:OC-DTLS1_2-AES128-GCM:"); #endif + buf_append(buf, "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:"); buf_append(buf, "AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA"); } diff --git a/www/changelog.xml b/www/changelog.xml index c051d200..083f2c7e 100644 --- a/www/changelog.xml +++ b/www/changelog.xml @@ -15,6 +15,7 @@
  • OpenConnect HEAD
      +
    • Enable DHE ciphers for Cisco DTLS.
    • Increase initial oNCP configuration buffer size.
    • Reopen CONIN$ when stdin is redirected on Windows.
    • Improve support for point-to-point routing on Windows.
      • -- 2.50.1