From e2b38313bbd5050acaac49a75f0a024d05b505e5 Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppym@gentoo.org>
Date: Sun, 10 Apr 2022 12:21:57 -0400
Subject: [PATCH] openssl: allow ALL ciphers when allow-insecure-crypto is
 enabled

Previously, the cipher list was set to "DEFAULT:+3DES:+RC4". However,
according to ciphers(1), the DEFAULT keyword cannot be combined with
other strings using the + characters. In other words, ":+3DES:+RC4" gets
ignored.

The user is opting into insecure behavior, so let's keep it simple and
just allow everything.

This change fixes the obsolete-server-crypto test when openconnect is
built against openssl-1.1.x.

Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---
 openssl.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/openssl.c b/openssl.c
index 3205dbd7..2bf594e7 100644
--- a/openssl.c
+++ b/openssl.c
@@ -1868,13 +1868,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 			struct oc_text_buf *buf = buf_alloc();
 			if (vpninfo->pfs)
 				buf_append(buf, "HIGH:!aNULL:!eNULL:-RSA");
+			else if (vpninfo->allow_insecure_crypto)
+				buf_append(buf, "ALL");
 			else
-				buf_append(buf, "DEFAULT");
-
-			if (vpninfo->allow_insecure_crypto)
-				buf_append(buf, ":+3DES:+RC4");
-			else
-				buf_append(buf, ":-3DES:-RC4");
+				buf_append(buf, "DEFAULT:-3DES:-RC4");
 
 			if (buf_error(buf)) {
 				vpn_progress(vpninfo, PRG_ERR,
-- 
2.35.1