diff options
author | Přemysl Janouch <p.janouch@gmail.com> | 2015-07-12 17:15:33 +0200 |
---|---|---|
committer | Přemysl Janouch <p.janouch@gmail.com> | 2015-07-12 17:15:33 +0200 |
commit | 3c1bbbc5137306ac0b650dfd0aee0097582475a5 (patch) | |
tree | 13f6be583efd2495f04a6d0a1ee26c117d202f59 | |
parent | 88b2200051556a3b268a73f2b9f81e6bec6920f1 (diff) | |
download | xK-3c1bbbc5137306ac0b650dfd0aee0097582475a5.tar.gz xK-3c1bbbc5137306ac0b650dfd0aee0097582475a5.tar.xz xK-3c1bbbc5137306ac0b650dfd0aee0097582475a5.zip |
degesch: add an "ssl_ciphers" option to servers
-rw-r--r-- | degesch.c | 9 |
1 files changed, 8 insertions, 1 deletions
@@ -1539,6 +1539,10 @@ static struct config_schema g_config_server[] = { .name = "ssl_ca_path", .comment = "OpenSSL CA bundle path", .type = CONFIG_ITEM_STRING }, + { .name = "ssl_ciphers", + .comment = "OpenSSL cipher preference list", + .type = CONFIG_ITEM_STRING, + .default_ = "\"DEFAULT:!MEDIUM:!LOW\"" }, { .name = "autoconnect", .comment = "Connect automatically on startup", @@ -3884,7 +3888,10 @@ transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e) SSL_CTX_get_ex_new_index (0, "server", NULL, NULL, NULL); SSL_CTX_set_ex_data (ssl_ctx, g_transport_tls_data_index, s); - // TODO: allow specifying SSL_CTX_set_cipher_list() + const char *ciphers = get_config_string (s->config, "ssl_ciphers"); + if (ciphers && !SSL_CTX_set_cipher_list (ssl_ctx, ciphers)) + log_server_error (s, s->buffer, + "Failed to select any cipher from the cipher list"); SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); |