These are designed to ensure that we don't inadvertently break compatibility
with legacy/obsolete server crypto, and also that we don't *inadvertently
connect* to less-secure crypto than requested.
- 'pfs': connect to a server whose only KX is RSA KX [if and only if]
`--pfs` is [not specified]
- 'obsolete-server-crypt': connect to a server whose only ciphers are 3DES
and/or RC4 [if and only if] `--allow-insecure-crypto` is specified
Signed-off-by: Daniel Lenski <email address hidden>
However, some still-in-use VPN servers can't do any better. So instead, we
explicitly disable them, unless explicitly enabled with the
`--allow-insecure-crypto` option, or corresponding API functions.
Signed-off-by: Daniel Lenski <email address hidden>
- CentOS8 now has GnuTLS with client random bug fixed (remove XFAIL_TESTS="dtls-psk")
- Fedora 32 needs crypto-policies-scripts package for update-crypto-policies to work
- dtls-psk is frequently failing; add 1-second wait AFTER tunnel interface appears
Signed-off-by: Daniel Lenski <email address hidden>