1 files changed, 46 insertions, 0 deletions

diff --git a/net-vpn/openconnect/files/8.20-insecure-crypto.patch b/net-vpn/openconnect/files/8.20-insecure-crypto.patch
new file mode 100644
index 000000000000..7644e1a264ba
--- /dev/null
+++ b/net-vpn/openconnect/files/8.20-insecure-crypto.patch
@@ -0,0 +1,46 @@
+From e2b38313bbd5050acaac49a75f0a024d05b505e5 Mon Sep 17 00:00:00 2001
+From: Mike Gilbert <floppym@gentoo.org>
+Date: Sun, 10 Apr 2022 12:21:57 -0400
+Subject: [PATCH] openssl: allow ALL ciphers when allow-insecure-crypto is
+ enabled
+
+Previously, the cipher list was set to "DEFAULT:+3DES:+RC4". However,
+according to ciphers(1), the DEFAULT keyword cannot be combined with
+other strings using the + characters. In other words, ":+3DES:+RC4" gets
+ignored.
+
+The user is opting into insecure behavior, so let's keep it simple and
+just allow everything.
+
+This change fixes the obsolete-server-crypto test when openconnect is
+built against openssl-1.1.x.
+
+Signed-off-by: Mike Gilbert <floppym@gentoo.org>
+---
+ openssl.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/openssl.c b/openssl.c
+index 3205dbd7..2bf594e7 100644
+--- a/openssl.c
++++ b/openssl.c
+@@ -1868,13 +1868,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
+ 			struct oc_text_buf *buf = buf_alloc();
+ 			if (vpninfo->pfs)
+ 				buf_append(buf, "HIGH:!aNULL:!eNULL:-RSA");
++			else if (vpninfo->allow_insecure_crypto)
++				buf_append(buf, "ALL");
+ 			else
+-				buf_append(buf, "DEFAULT");
+-
+-			if (vpninfo->allow_insecure_crypto)
+-				buf_append(buf, ":+3DES:+RC4");
+-			else
+-				buf_append(buf, ":-3DES:-RC4");
++				buf_append(buf, "DEFAULT:-3DES:-RC4");
+ 
+ 			if (buf_error(buf)) {
+ 				vpn_progress(vpninfo, PRG_ERR,
+-- 
+2.35.1
+