shrpx: add --ciphers option to specify allowed cipher list
This commit is contained in:
Tatsuhiro Tsujikawa
parent
6eba7b4af5
commit
a69b61c40c
|
|
@ -340,6 +340,8 @@ void fill_default_config()
|
|||
|
||||
// Default accept() backlog
|
||||
mod_config()->backlog = 256;
|
||||
|
||||
mod_config()->ciphers = 0;
|
||||
}
|
||||
} // namespace
|
||||
|
||||
|
|
@ -434,6 +436,8 @@ void print_help(std::ostream& out)
|
|||
<< " --backlog=<NUM> Set listen backlog size.\n"
|
||||
<< " Default: "
|
||||
<< get_config()->backlog << "\n"
|
||||
<< " --ciphers=<SUITE> Set allowed cipher list. The format of the\n"
|
||||
<< " string is described in OpenSSL ciphers(1).\n"
|
||||
<< " -h, --help Print this help.\n"
|
||||
<< std::endl;
|
||||
}
|
||||
|
|
@ -471,6 +475,7 @@ int main(int argc, char **argv)
|
|||
{"syslog", no_argument, &flag, 13 },
|
||||
{"syslog-facility", required_argument, &flag, 14 },
|
||||
{"backlog", required_argument, &flag, 15 },
|
||||
{"ciphers", required_argument, &flag, 16 },
|
||||
{"help", no_argument, 0, 'h' },
|
||||
{0, 0, 0, 0 }
|
||||
};
|
||||
|
|
@ -575,6 +580,10 @@ int main(int argc, char **argv)
|
|||
// --backlog
|
||||
cmdcfgs.push_back(std::make_pair(SHRPX_OPT_BACKLOG, optarg));
|
||||
break;
|
||||
case 16:
|
||||
// --ciphers
|
||||
cmdcfgs.push_back(std::make_pair(SHRPX_OPT_CIPHERS, optarg));
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -67,6 +67,7 @@ const char SHRPX_OPT_USER[] = "user";
|
|||
const char SHRPX_OPT_SYSLOG[] = "syslog";
|
||||
const char SHRPX_OPT_SYSLOG_FACILITY[] = "syslog-facility";
|
||||
const char SHRPX_OPT_BACKLOG[] = "backlog";
|
||||
const char SHRPX_OPT_CIPHERS[] = "ciphers";
|
||||
|
||||
Config::Config()
|
||||
: verbose(false),
|
||||
|
|
@ -94,7 +95,8 @@ Config::Config()
|
|||
syslog(false),
|
||||
syslog_facility(0),
|
||||
use_syslog(false),
|
||||
backlog(0)
|
||||
backlog(0),
|
||||
ciphers(0)
|
||||
{}
|
||||
|
||||
namespace {
|
||||
|
|
@ -242,6 +244,8 @@ int parse_config(const char *opt, const char *optarg)
|
|||
mod_config()->syslog_facility = facility;
|
||||
} else if(util::strieq(opt, SHRPX_OPT_BACKLOG)) {
|
||||
mod_config()->backlog = strtol(optarg, 0, 10);
|
||||
} else if(util::strieq(opt, SHRPX_OPT_CIPHERS)) {
|
||||
set_config_str(&mod_config()->ciphers, optarg);
|
||||
} else if(util::strieq(opt, "conf")) {
|
||||
LOG(WARNING) << "conf is ignored";
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -59,6 +59,7 @@ extern const char SHRPX_OPT_USER[];
|
|||
extern const char SHRPX_OPT_SYSLOG[];
|
||||
extern const char SHRPX_OPT_SYSLOG_FACILITY[];
|
||||
extern const char SHRPX_OPT_BACKLOG[];
|
||||
extern const char SHRPX_OPT_CIPHERS[];
|
||||
|
||||
union sockaddr_union {
|
||||
sockaddr sa;
|
||||
|
|
@ -102,6 +103,7 @@ struct Config {
|
|||
// This member finally decides syslog is used or not
|
||||
bool use_syslog;
|
||||
int backlog;
|
||||
char *ciphers;
|
||||
Config();
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -96,6 +96,13 @@ SSL_CTX* create_ssl_context()
|
|||
SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx)-1);
|
||||
SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
|
||||
|
||||
if(get_config()->ciphers) {
|
||||
if(SSL_CTX_set_cipher_list(ssl_ctx, get_config()->ciphers) == 0) {
|
||||
LOG(FATAL) << "SSL_CTX_set_cipher_list failed.";
|
||||
DIE();
|
||||
}
|
||||
}
|
||||
|
||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
|
||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
|
||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
||||
|
|
|
|||
Loading…
Reference in New Issue