Enable DHE ciphers for Cisco DTLS

Tested-by: Peter Brant <peter.brant@gmail.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
sailfishos-mirror · Oct 3, 2016 · bd7d9fa · bd7d9fa
1 parent 4732d08
commit bd7d9fa
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 0 deletions.
diff --git a/gnutls-dtls.c b/gnutls-dtls.c
@@ -58,6 +58,10 @@ struct {
 	const char *prio;
 	const char *min_gnutls_version;
 } gnutls_dtls_ciphers[] = {
+	{ "DHE-RSA-AES128-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA, GNUTLS_MAC_SHA1,
+	  "NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-128-CBC:+SHA1:+DHE-RSA:%COMPAT", "3.0.0" },
+	{ "DHE-RSA-AES256-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA, GNUTLS_MAC_SHA1,
+	  "NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-256-CBC:+SHA1:+DHE-RSA:%COMPAT", "3.0.0" },
 	{ "AES128-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_SHA1,
 	  "NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-128-CBC:+SHA1:+RSA:%COMPAT", "3.0.0" },
 	{ "AES256-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_SHA1,

diff --git a/openssl-dtls.c b/openssl-dtls.c
@@ -537,6 +537,7 @@ void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *b
 #endif
 	buf_append(buf, "OC-DTLS1_2-AES256-GCM:OC-DTLS1_2-AES128-GCM:");
 #endif
+	buf_append(buf, "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:");
 	buf_append(buf, "AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA");
 }
 
diff --git a/www/changelog.xml b/www/changelog.xml
@@ -15,6 +15,7 @@
 <ul>
    <li><b>OpenConnect HEAD</b>
      <ul>
+       <li>Enable DHE ciphers for Cisco DTLS.</li>
        <li>Increase initial oNCP configuration buffer size.</li>
        <li>Reopen <tt>CONIN$</tt> when stdin is redirected on Windows.</li>
        <li>Improve support for point-to-point routing on Windows.</li>