mbedtls: enable DHE-RSA key exchange
authorMagnus Kroken <mkroken@gmail.com>
Fri, 30 Dec 2016 00:31:29 +0000 (01:31 +0100)
committerFelix Fietkau <nbd@nbd.name>
Fri, 30 Dec 2016 12:06:43 +0000 (13:06 +0100)
Later OpenVPN 2.3-openssl versions only enable
TLS cipher suites with perfect forward secrecy, i.e. DHE and ECDHE
cipher suites. ECDHE key exchange is not supported by
OpenVPN 2.3-openssl, enable DHE key exchange to allow LEDE
OpenVPN 2.4-mbedtls clients to connect to such servers.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Reported-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reported-by: Lucian Cristian <luci@createc.ro>
package/libs/mbedtls/patches/200-config.patch

index bb74e61..dcee704 100644 (file)
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-@@ -622,7 +622,7 @@
-  *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
-  *      MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
-  */
--#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
-+//#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
- /**
-  * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 @@ -695,7 +695,7 @@
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384