diff options
| author | Jo-Philipp Wich <jo@mein.io> | 2020-02-15 21:35:40 +0100 |
|---|---|---|
| committer | Jo-Philipp Wich <jo@mein.io> | 2020-02-15 23:47:00 +0100 |
| commit | 5fc551d620bb353dbac68fe4d23da12784575118 (patch) | |
| tree | 3809453943aa538ed987faebc4f728ab201b6c62 | |
| parent | 2ee323c01079248baa9465969df9e25b5fb68cdf (diff) | |
| download | uhttpd2-5fc551d620bb353dbac68fe4d23da12784575118.tar.gz | |
tls: support specifying accepted TLS ciphers
Introduce a new `-P` option which allows specifying a colon separated list
of accepted TLS ciphers.
Depending on the underlying ustream-ssl provider, the list either follows
OpenSSL's cipher string format or, in case of mbedTLS, is a simple colon
separated cipher whitelist.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
| -rw-r--r-- | main.c | 12 | ||||
| -rw-r--r-- | tls.c | 7 | ||||
| -rw-r--r-- | tls.h | 4 |
3 files changed, 17 insertions, 6 deletions
@@ -139,6 +139,7 @@ static int usage(const char *name) " -s [addr:]port Like -p but provide HTTPS on this port\n" " -C file ASN.1 server certificate file\n" " -K file ASN.1 server private key file\n" + " -P ciphers Colon separated list of allowed TLS ciphers\n" " -q Redirect all HTTP requests to HTTPS\n" #endif " -h directory Specify the document root, default is '.'\n" @@ -249,7 +250,7 @@ int main(int argc, char **argv) int bound = 0; #ifdef HAVE_TLS int n_tls = 0; - const char *tls_key = NULL, *tls_crt = NULL; + const char *tls_key = NULL, *tls_crt = NULL, *tls_ciphers = NULL; #endif #ifdef HAVE_LUA const char *lua_prefix = NULL, *lua_handler = NULL; @@ -261,7 +262,7 @@ int main(int argc, char **argv) init_defaults_pre(); signal(SIGPIPE, SIG_IGN); - while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) { + while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) { switch(ch) { #ifdef HAVE_TLS case 'C': @@ -272,6 +273,10 @@ int main(int argc, char **argv) tls_key = optarg; break; + case 'P': + tls_ciphers = optarg; + break; + case 'q': conf.tls_redirect = 1; break; @@ -282,6 +287,7 @@ int main(int argc, char **argv) #else case 'C': case 'K': + case 'P': case 'q': case 's': fprintf(stderr, "uhttpd: TLS support not compiled, " @@ -523,7 +529,7 @@ int main(int argc, char **argv) return 1; } - if (uh_tls_init(tls_key, tls_crt)) + if (uh_tls_init(tls_key, tls_crt, tls_ciphers)) return 1; } #endif @@ -31,7 +31,7 @@ static struct ustream_ssl_ops *ops; static void *dlh; static void *ctx; -int uh_tls_init(const char *key, const char *crt) +int uh_tls_init(const char *key, const char *crt, const char *ciphers) { static bool _init = false; @@ -63,6 +63,11 @@ int uh_tls_init(const char *key, const char *crt) return -EINVAL; } + if (ciphers && ops->context_set_ciphers(ctx, ciphers)) { + fprintf(stderr, "No recognized ciphers in cipher list\n"); + return -EINVAL; + } + return 0; } @@ -22,13 +22,13 @@ #ifdef HAVE_TLS -int uh_tls_init(const char *key, const char *crt); +int uh_tls_init(const char *key, const char *crt, const char *ciphers); void uh_tls_client_attach(struct client *cl); void uh_tls_client_detach(struct client *cl); #else -static inline int uh_tls_init(const char *key, const char *crt) +static inline int uh_tls_init(const char *key, const char *crt, const char *ciphers) { return -1; } |