diff --git a/gennghttpxfun.py b/gennghttpxfun.py index cac3a548..c394486f 100755 --- a/gennghttpxfun.py +++ b/gennghttpxfun.py @@ -156,6 +156,7 @@ OPTIONS = [ "psk-secrets", "client-psk-secrets", "client-no-http2-cipher-black-list", + "client-ciphers", ] LOGVARS = [ diff --git a/src/shrpx.cc b/src/shrpx.cc index 4dc79b70..ba607db2 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -1896,8 +1896,11 @@ Timeout: SSL/TLS: --ciphers= - Set allowed cipher list. The format of the string is - described in OpenSSL ciphers(1). + Set allowed cipher list for frontend connection. The + format of the string is described in OpenSSL ciphers(1). + --client-ciphers= + Set allowed cipher list for backend connection. The + format of the string is described in OpenSSL ciphers(1). --ecdh-curves= Set supported curve list for frontend connections. is a colon separated list of curve NID or names @@ -3104,6 +3107,7 @@ int main(int argc, char **argv) { {SHRPX_OPT_CLIENT_PSK_SECRETS.c_str(), required_argument, &flag, 148}, {SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST.c_str(), no_argument, &flag, 149}, + {SHRPX_OPT_CLIENT_CIPHERS.c_str(), required_argument, &flag, 150}, {nullptr, 0, nullptr, 0}}; int option_index = 0; @@ -3807,6 +3811,10 @@ int main(int argc, char **argv) { cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST, StringRef::from_lit("yes")); break; + case 150: + // --client-ciphers + cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_CIPHERS, StringRef{optarg}); + break; default: break; } diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc index 4fc3f841..ac4775ae 100644 --- a/src/shrpx_config.cc +++ b/src/shrpx_config.cc @@ -1585,6 +1585,9 @@ int option_lookup_token(const char *name, size_t namelen) { if (util::strieq_l("backend-no-tl", name, 13)) { return SHRPX_OPTID_BACKEND_NO_TLS; } + if (util::strieq_l("client-cipher", name, 13)) { + return SHRPX_OPTID_CLIENT_CIPHERS; + } break; case 't': if (util::strieq_l("tls-proto-lis", name, 13)) { @@ -3283,6 +3286,10 @@ int parse_config(Config *config, int optid, const StringRef &opt, config->tls.client.no_http2_cipher_black_list = util::strieq_l("yes", optarg); + return 0; + case SHRPX_OPTID_CLIENT_CIPHERS: + config->tls.client.ciphers = make_string_ref(config->balloc, optarg); + return 0; case SHRPX_OPTID_CONF: LOG(WARN) << "conf: ignored"; diff --git a/src/shrpx_config.h b/src/shrpx_config.h index 0d9c8c81..efdc50a5 100644 --- a/src/shrpx_config.h +++ b/src/shrpx_config.h @@ -324,6 +324,7 @@ constexpr auto SHRPX_OPT_CLIENT_PSK_SECRETS = StringRef::from_lit("client-psk-secrets"); constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST = StringRef::from_lit("client-no-http2-cipher-black-list"); +constexpr auto SHRPX_OPT_CLIENT_CIPHERS = StringRef::from_lit("client-ciphers"); constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8; @@ -558,6 +559,7 @@ struct TLSConfig { } psk; StringRef private_key_file; StringRef cert_file; + StringRef ciphers; bool no_http2_cipher_black_list; } client; @@ -927,6 +929,7 @@ enum { SHRPX_OPTID_CIPHERS, SHRPX_OPTID_CLIENT, SHRPX_OPTID_CLIENT_CERT_FILE, + SHRPX_OPTID_CLIENT_CIPHERS, SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST, SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE, SHRPX_OPTID_CLIENT_PROXY, diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index dee8662a..eb1ea732 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -874,8 +874,8 @@ SSL_CTX *create_ssl_client_context( SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask); const char *ciphers; - if (!tlsconf.ciphers.empty()) { - ciphers = tlsconf.ciphers.c_str(); + if (!tlsconf.client.ciphers.empty()) { + ciphers = tlsconf.client.ciphers.c_str(); } else { ciphers = nghttp2::ssl::DEFAULT_CIPHER_LIST; }