nghttpx: Add client-ciphers option

Previously, ciphers option sets cipher list for both frontend and
backend TLS connections.  With this commit, ciphers option only sets
cipher list for frontend connections.  The new client-ciphers option
sets cipher list for backend connection.

gennghttpxfun.py

@@ -156,6 +156,7 @@ OPTIONS = [
     "psk-secrets",
     "client-psk-secrets",
     "client-no-http2-cipher-black-list",
+    "client-ciphers",
 ]
 
 LOGVARS = [

src/shrpx.cc

@@ -1896,8 +1896,11 @@ Timeout:
 
 SSL/TLS:
   --ciphers=<SUITE>
-              Set allowed  cipher list.  The  format of the  string is
+              Set allowed  cipher list  for frontend  connection.  The
-              described in OpenSSL ciphers(1).
+              format of the string is described in OpenSSL ciphers(1).
+  --client-ciphers=<SUITE>
+              Set  allowed cipher  list for  backend connection.   The
+              format of the string is described in OpenSSL ciphers(1).
   --ecdh-curves=<LIST>
               Set  supported  curve  list  for  frontend  connections.
               <LIST> is a  colon separated list of curve  NID or names
@@ -3104,6 +3107,7 @@ int main(int argc, char **argv) {
         {SHRPX_OPT_CLIENT_PSK_SECRETS.c_str(), required_argument, &flag, 148},
         {SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST.c_str(), no_argument,
          &flag, 149},
+        {SHRPX_OPT_CLIENT_CIPHERS.c_str(), required_argument, &flag, 150},
         {nullptr, 0, nullptr, 0}};
 
     int option_index = 0;
@@ -3807,6 +3811,10 @@ int main(int argc, char **argv) {
         cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST,
                              StringRef::from_lit("yes"));
         break;
+      case 150:
+        // --client-ciphers
+        cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_CIPHERS, StringRef{optarg});
+        break;
       default:
         break;
       }

src/shrpx_config.cc

@@ -1585,6 +1585,9 @@ int option_lookup_token(const char *name, size_t namelen) {
       if (util::strieq_l("backend-no-tl", name, 13)) {
         return SHRPX_OPTID_BACKEND_NO_TLS;
       }
+      if (util::strieq_l("client-cipher", name, 13)) {
+        return SHRPX_OPTID_CLIENT_CIPHERS;
+      }
       break;
     case 't':
       if (util::strieq_l("tls-proto-lis", name, 13)) {
@@ -3283,6 +3286,10 @@ int parse_config(Config *config, int optid, const StringRef &opt,
     config->tls.client.no_http2_cipher_black_list =
         util::strieq_l("yes", optarg);
 
+    return 0;
+  case SHRPX_OPTID_CLIENT_CIPHERS:
+    config->tls.client.ciphers = make_string_ref(config->balloc, optarg);
+
     return 0;
   case SHRPX_OPTID_CONF:
     LOG(WARN) << "conf: ignored";

src/shrpx_config.h

@@ -324,6 +324,7 @@ constexpr auto SHRPX_OPT_CLIENT_PSK_SECRETS =
     StringRef::from_lit("client-psk-secrets");
 constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST =
     StringRef::from_lit("client-no-http2-cipher-black-list");
+constexpr auto SHRPX_OPT_CLIENT_CIPHERS = StringRef::from_lit("client-ciphers");
 
 constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
 
@@ -558,6 +559,7 @@ struct TLSConfig {
     } psk;
     StringRef private_key_file;
     StringRef cert_file;
+    StringRef ciphers;
     bool no_http2_cipher_black_list;
   } client;
 
@@ -927,6 +929,7 @@ enum {
   SHRPX_OPTID_CIPHERS,
   SHRPX_OPTID_CLIENT,
   SHRPX_OPTID_CLIENT_CERT_FILE,
+  SHRPX_OPTID_CLIENT_CIPHERS,
   SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST,
   SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE,
   SHRPX_OPTID_CLIENT_PROXY,

src/shrpx_ssl.cc

@@ -874,8 +874,8 @@ SSL_CTX *create_ssl_client_context(
   SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
 
   const char *ciphers;
-  if (!tlsconf.ciphers.empty()) {
+  if (!tlsconf.client.ciphers.empty()) {
-    ciphers = tlsconf.ciphers.c_str();
+    ciphers = tlsconf.client.ciphers.c_str();
   } else {
     ciphers = nghttp2::ssl::DEFAULT_CIPHER_LIST;
   }