From a69b61c40c6a8c2e4bc1ef9fe0a65fb572623937 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Mon, 20 Aug 2012 21:50:03 +0900 Subject: [PATCH] shrpx: add --ciphers option to specify allowed cipher list --- examples/shrpx.cc | 9 +++++++++ examples/shrpx_config.cc | 6 +++++- examples/shrpx_config.h | 2 ++ examples/shrpx_ssl.cc | 7 +++++++ 4 files changed, 23 insertions(+), 1 deletion(-) diff --git a/examples/shrpx.cc b/examples/shrpx.cc index f2c13ccc..62a6259c 100644 --- a/examples/shrpx.cc +++ b/examples/shrpx.cc @@ -340,6 +340,8 @@ void fill_default_config() // Default accept() backlog mod_config()->backlog = 256; + + mod_config()->ciphers = 0; } } // namespace @@ -434,6 +436,8 @@ void print_help(std::ostream& out) << " --backlog= Set listen backlog size.\n" << " Default: " << get_config()->backlog << "\n" + << " --ciphers= Set allowed cipher list. The format of the\n" + << " string is described in OpenSSL ciphers(1).\n" << " -h, --help Print this help.\n" << std::endl; } @@ -471,6 +475,7 @@ int main(int argc, char **argv) {"syslog", no_argument, &flag, 13 }, {"syslog-facility", required_argument, &flag, 14 }, {"backlog", required_argument, &flag, 15 }, + {"ciphers", required_argument, &flag, 16 }, {"help", no_argument, 0, 'h' }, {0, 0, 0, 0 } }; @@ -575,6 +580,10 @@ int main(int argc, char **argv) // --backlog cmdcfgs.push_back(std::make_pair(SHRPX_OPT_BACKLOG, optarg)); break; + case 16: + // --ciphers + cmdcfgs.push_back(std::make_pair(SHRPX_OPT_CIPHERS, optarg)); + break; default: break; } diff --git a/examples/shrpx_config.cc b/examples/shrpx_config.cc index ebba2449..e7eae6ea 100644 --- a/examples/shrpx_config.cc +++ b/examples/shrpx_config.cc @@ -67,6 +67,7 @@ const char SHRPX_OPT_USER[] = "user"; const char SHRPX_OPT_SYSLOG[] = "syslog"; const char SHRPX_OPT_SYSLOG_FACILITY[] = "syslog-facility"; const char SHRPX_OPT_BACKLOG[] = "backlog"; +const char SHRPX_OPT_CIPHERS[] = "ciphers"; Config::Config() : verbose(false), @@ -94,7 +95,8 @@ Config::Config() syslog(false), syslog_facility(0), use_syslog(false), - backlog(0) + backlog(0), + ciphers(0) {} namespace { @@ -242,6 +244,8 @@ int parse_config(const char *opt, const char *optarg) mod_config()->syslog_facility = facility; } else if(util::strieq(opt, SHRPX_OPT_BACKLOG)) { mod_config()->backlog = strtol(optarg, 0, 10); + } else if(util::strieq(opt, SHRPX_OPT_CIPHERS)) { + set_config_str(&mod_config()->ciphers, optarg); } else if(util::strieq(opt, "conf")) { LOG(WARNING) << "conf is ignored"; } else { diff --git a/examples/shrpx_config.h b/examples/shrpx_config.h index 8b4e25fc..b46ca0bc 100644 --- a/examples/shrpx_config.h +++ b/examples/shrpx_config.h @@ -59,6 +59,7 @@ extern const char SHRPX_OPT_USER[]; extern const char SHRPX_OPT_SYSLOG[]; extern const char SHRPX_OPT_SYSLOG_FACILITY[]; extern const char SHRPX_OPT_BACKLOG[]; +extern const char SHRPX_OPT_CIPHERS[]; union sockaddr_union { sockaddr sa; @@ -102,6 +103,7 @@ struct Config { // This member finally decides syslog is used or not bool use_syslog; int backlog; + char *ciphers; Config(); }; diff --git a/examples/shrpx_ssl.cc b/examples/shrpx_ssl.cc index 5cd60d6c..7aeabe00 100644 --- a/examples/shrpx_ssl.cc +++ b/examples/shrpx_ssl.cc @@ -96,6 +96,13 @@ SSL_CTX* create_ssl_context() SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx)-1); SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER); + if(get_config()->ciphers) { + if(SSL_CTX_set_cipher_list(ssl_ctx, get_config()->ciphers) == 0) { + LOG(FATAL) << "SSL_CTX_set_cipher_list failed."; + DIE(); + } + } + SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);