with --allow-insecure-crypto, additionally attempt to disable insecure...
with --allow-insecure-crypto, additionally attempt to disable insecure systemwide minimum crypto settings Because openconnect_set_allow_insecure_crypto() now does more than just attempt to reenable 3DES and ARC4, its failure to enable those ciphers should not be treated as fatal, but merely a warning. Setting the appropriate environment variable (GNUTLS_SYSTEM_PRIORITY_FILE or OPENSSL_CONF) to `/dev/null` *before* crypto library initialization should ensure that a systemwide crypto configuration file doesn't set a minimum crypto requirement which would override the user choice. See https://gitlab.com/openconnect/openconnect/-/issues/211#note_482161646 for discussion of GnuTLS settings, and https://www.openssl.org/docs/man1.1.1/man5/config.html for OpenSSL. FIXME: OpenSSL implementation needs library reinitialization. Signed-off-by: Daniel Lenski <firstname.lastname@example.org>
Showing with 50 additions and 12 deletions