Wrap force ciphersuite and min tbs version properties

2026-02-11 00:00:08 +08:00 · 2017-04-24 13:34:50 +03:00
parent 61228ed00d
commit 2fc3e13911
2 changed files with 84 additions and 0 deletions
--- a/Adapter/OpenVPNConfiguration.h
+++ b/Adapter/OpenVPNConfiguration.h
@@ -50,6 +50,22 @@ typedef NS_ENUM(NSInteger, OpenVPNCompressionMode) {
    OpenVPNCompressionModeDefault
 };

+/**
+ Minimum TLS version options
+ */
+typedef NS_ENUM(NSInteger, OpenVPNMinTLSVersion) {
+    /// Don't specify a minimum, and disable any minimum specified in profile
+    OpenVPNMinTLSVersionDisabled,
+    /// Use TLS 1.0 minimum (overrides profile)
+    OpenVPNMinTLSVersion10,
+    /// Use TLS 1.1 minimum (overrides profile)
+    OpenVPNMinTLSVersion11,
+    /// Use TLS 1.2 minimum (overrides profile)
+    OpenVPNMinTLSVersion12,
+    /// Use profile minimum
+    OpenVPNMinTLSVersionDefault
+};
+
@interface OpenVPNConfiguration : NSObject

 /**
@@ -134,4 +150,18 @@ typedef NS_ENUM(NSInteger, OpenVPNCompressionMode) {
 */
@property (nonatomic) NSInteger keyDirection;

+/**
+ If YES, force ciphersuite to be one of:
+ 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA, or
+ 2. TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+ and disable setting TLS minimum version.
+ This is intended for compatibility with legacy systems.
+ */
+@property (nonatomic) BOOL forceCiphersuitesAESCBC;
+
+/**
+ Override the minimum TLS version
+ */
+@property (nonatomic) OpenVPNMinTLSVersion minTLSVersion;
+
@end
--- a/Adapter/OpenVPNConfiguration.mm
+++ b/Adapter/OpenVPNConfiguration.mm
@@ -261,4 +261,58 @@ using namespace openvpn;
    _config.defaultKeyDirection = keyDirection;
 }

+- (BOOL)forceCiphersuitesAESCBC {
+    return _config.forceAesCbcCiphersuites;
+}
+
+-(void)setForceCiphersuitesAESCBC:(BOOL)forceCiphersuitesAESCBC {
+    _config.forceAesCbcCiphersuites = forceCiphersuitesAESCBC;
+}
+
+- (OpenVPNMinTLSVersion)minTLSVersion {
+    NSDictionary *options = @{
+        @"disabled": @(OpenVPNMinTLSVersionDisabled),
+        @"tls_1_0": @(OpenVPNMinTLSVersion10),
+        @"tls_1_1": @(OpenVPNMinTLSVersion11),
+        @"tls_1_2": @(OpenVPNMinTLSVersion12),
+        @"default": @(OpenVPNMinTLSVersionDefault),
+        @"": @(OpenVPNMinTLSVersionDefault)
+    };
+    
+    NSString *currentValue = [NSString stringWithUTF8String:_config.tlsVersionMinOverride.c_str()];
+    
+    NSNumber *preference = options[currentValue];
+    NSAssert(preference != nil, @"Incorrect minTLSVersion value");
+    
+    return (OpenVPNMinTLSVersion)[preference integerValue];
+}
+
+- (void)setMinTLSVersion:(OpenVPNMinTLSVersion)minTLSVersion {
+    switch (minTLSVersion) {
+        case OpenVPNMinTLSVersionDisabled:
+            _config.tlsVersionMinOverride = "disabled";
+            break;
+            
+        case OpenVPNMinTLSVersion10:
+            _config.tlsVersionMinOverride = "tls_1_0";
+            break;
+            
+        case OpenVPNMinTLSVersion11:
+            _config.tlsVersionMinOverride = "tls_1_1";
+            break;
+            
+        case OpenVPNMinTLSVersion12:
+            _config.tlsVersionMinOverride = "tls_1_2";
+            break;
+            
+        case OpenVPNMinTLSVersionDefault:
+            _config.tlsVersionMinOverride = "default";
+            break;
+            
+        default:
+            NSAssert(NO, @"Incorrect OpenVPNMinTLSVersion value");
+            break;
+    }
+}
+
@end