Setup better defaults for OpenSSL ciphers

This ensures that when using OpenSSL a safe default set of ciphers
is selected. This is done so that the client communicates securely
and we don't accidentally enable unsafe ciphers like RC4, or even
worse some old export ciphers.

Implements the first part of https://github.com/libgit2/libgit2/issues/3682

1 files changed, 22 insertions, 0 deletions

diff --git a/src/settings.c b/src/settings.c
index 88602bad0..c0e503d37 100644
--- a/src/settings.c
+++ b/src/settings.c
@@ -71,12 +71,18 @@ static int config_level_to_sysdir(int config_level)
 }
 
 extern char *git__user_agent;
+extern char *git__ssl_ciphers;
 
 const char *git_libgit2__user_agent()
 {
 	return git__user_agent;
 }
 
+const char *git_libgit2__ssl_ciphers()
+{
+	return git__ssl_ciphers;
+}
+
 int git_libgit2_opts(int key, ...)
 {
 	int error = 0;
@@ -187,6 +193,22 @@ int git_libgit2_opts(int key, ...)
 		git_object__strict_input_validation = (va_arg(ap, int) != 0);
 		break;
 
+	case GIT_OPT_SET_SSL_CIPHERS:
+#ifdef GIT_OPENSSL
+		{
+			git__free(git__ssl_ciphers);
+			git__ssl_ciphers = git__strdup(va_arg(ap, const char *));
+			if (!git__ssl_ciphers) {
+				giterr_set_oom();
+				error = -1;
+			}
+		}
+#else
+		giterr_set(GITERR_NET, "Cannot set custom ciphers: OpenSSL is not enabled");
+		error = -1;
+#endif
+		break;
+
 	default:
 		giterr_set(GITERR_INVALID, "invalid option key");
 		error = -1;