diff options
author | Přemysl Janouch <p.janouch@gmail.com> | 2015-07-12 17:34:44 +0200 |
---|---|---|
committer | Přemysl Janouch <p.janouch@gmail.com> | 2015-07-12 17:39:29 +0200 |
commit | f69ca8e54c57f1027e9fe7b6de6b090315120606 (patch) | |
tree | da170b8ac4d12808afdafd579c8c3d59781b771f | |
parent | 3c1bbbc5137306ac0b650dfd0aee0097582475a5 (diff) | |
download | xK-f69ca8e54c57f1027e9fe7b6de6b090315120606.tar.gz xK-f69ca8e54c57f1027e9fe7b6de6b090315120606.tar.xz xK-f69ca8e54c57f1027e9fe7b6de6b090315120606.zip |
kike: allow specifying the cipher list
-rw-r--r-- | kike.c | 9 |
1 files changed, 8 insertions, 1 deletions
@@ -31,6 +31,9 @@ enum { PIPE_READ, PIPE_WRITE }; // --- Configuration (application-specific) ------------------------------------ +// Just get rid of the crappiest ciphers available by default +#define DEFAULT_CIPHERS "DEFAULT:!MEDIUM:!LOW" + static struct config_item g_config_table[] = { { "pid_file", NULL, "Path or name of the PID file" }, @@ -43,6 +46,7 @@ static struct config_item g_config_table[] = { "bind_port", "6667", "Port of the IRC server" }, { "ssl_cert", NULL, "Server SSL certificate (PEM)" }, { "ssl_key", NULL, "Server SSL private key (PEM)" }, + { "ssl_ciphers", DEFAULT_CIPHERS, "OpenSSL cipher list" }, { "operators", NULL, "IRCop SSL cert. fingerprints" }, @@ -3506,7 +3510,10 @@ irc_initialize_ssl_ctx (struct server_context *ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE); // XXX: perhaps we should read the files ourselves for better messages - if (!SSL_CTX_use_certificate_chain_file (ctx->ssl_ctx, cert_path)) + const char *ciphers = str_map_find (&ctx->config, "ssl_ciphers"); + if (!SSL_CTX_set_cipher_list (ctx->ssl_ctx, ciphers)) + error_set (e, "failed to select any cipher from the cipher list"); + else if (!SSL_CTX_use_certificate_chain_file (ctx->ssl_ctx, cert_path)) error_set (e, "%s: %s", "setting the SSL client certificate failed", ERR_error_string (ERR_get_error (), NULL)); else if (!SSL_CTX_use_PrivateKey_file |