shrpx: add --ciphers option to specify allowed cipher list
This commit is contained in:
Tatsuhiro Tsujikawa
parent
6eba7b4af5
commit
a69b61c40c
|
|
@ -340,6 +340,8 @@ void fill_default_config()
|
||||||
|
|
||||||
// Default accept() backlog
|
// Default accept() backlog
|
||||||
mod_config()->backlog = 256;
|
mod_config()->backlog = 256;
|
||||||
|
|
||||||
|
mod_config()->ciphers = 0;
|
||||||
}
|
}
|
||||||
} // namespace
|
} // namespace
|
||||||
|
|
||||||
|
|
@ -434,6 +436,8 @@ void print_help(std::ostream& out)
|
||||||
<< " --backlog=<NUM> Set listen backlog size.\n"
|
<< " --backlog=<NUM> Set listen backlog size.\n"
|
||||||
<< " Default: "
|
<< " Default: "
|
||||||
<< get_config()->backlog << "\n"
|
<< get_config()->backlog << "\n"
|
||||||
|
<< " --ciphers=<SUITE> Set allowed cipher list. The format of the\n"
|
||||||
|
<< " string is described in OpenSSL ciphers(1).\n"
|
||||||
<< " -h, --help Print this help.\n"
|
<< " -h, --help Print this help.\n"
|
||||||
<< std::endl;
|
<< std::endl;
|
||||||
}
|
}
|
||||||
|
|
@ -471,6 +475,7 @@ int main(int argc, char **argv)
|
||||||
{"syslog", no_argument, &flag, 13 },
|
{"syslog", no_argument, &flag, 13 },
|
||||||
{"syslog-facility", required_argument, &flag, 14 },
|
{"syslog-facility", required_argument, &flag, 14 },
|
||||||
{"backlog", required_argument, &flag, 15 },
|
{"backlog", required_argument, &flag, 15 },
|
||||||
|
{"ciphers", required_argument, &flag, 16 },
|
||||||
{"help", no_argument, 0, 'h' },
|
{"help", no_argument, 0, 'h' },
|
||||||
{0, 0, 0, 0 }
|
{0, 0, 0, 0 }
|
||||||
};
|
};
|
||||||
|
|
@ -575,6 +580,10 @@ int main(int argc, char **argv)
|
||||||
// --backlog
|
// --backlog
|
||||||
cmdcfgs.push_back(std::make_pair(SHRPX_OPT_BACKLOG, optarg));
|
cmdcfgs.push_back(std::make_pair(SHRPX_OPT_BACKLOG, optarg));
|
||||||
break;
|
break;
|
||||||
|
case 16:
|
||||||
|
// --ciphers
|
||||||
|
cmdcfgs.push_back(std::make_pair(SHRPX_OPT_CIPHERS, optarg));
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -67,6 +67,7 @@ const char SHRPX_OPT_USER[] = "user";
|
||||||
const char SHRPX_OPT_SYSLOG[] = "syslog";
|
const char SHRPX_OPT_SYSLOG[] = "syslog";
|
||||||
const char SHRPX_OPT_SYSLOG_FACILITY[] = "syslog-facility";
|
const char SHRPX_OPT_SYSLOG_FACILITY[] = "syslog-facility";
|
||||||
const char SHRPX_OPT_BACKLOG[] = "backlog";
|
const char SHRPX_OPT_BACKLOG[] = "backlog";
|
||||||
|
const char SHRPX_OPT_CIPHERS[] = "ciphers";
|
||||||
|
|
||||||
Config::Config()
|
Config::Config()
|
||||||
: verbose(false),
|
: verbose(false),
|
||||||
|
|
@ -94,7 +95,8 @@ Config::Config()
|
||||||
syslog(false),
|
syslog(false),
|
||||||
syslog_facility(0),
|
syslog_facility(0),
|
||||||
use_syslog(false),
|
use_syslog(false),
|
||||||
backlog(0)
|
backlog(0),
|
||||||
|
ciphers(0)
|
||||||
{}
|
{}
|
||||||
|
|
||||||
namespace {
|
namespace {
|
||||||
|
|
@ -242,6 +244,8 @@ int parse_config(const char *opt, const char *optarg)
|
||||||
mod_config()->syslog_facility = facility;
|
mod_config()->syslog_facility = facility;
|
||||||
} else if(util::strieq(opt, SHRPX_OPT_BACKLOG)) {
|
} else if(util::strieq(opt, SHRPX_OPT_BACKLOG)) {
|
||||||
mod_config()->backlog = strtol(optarg, 0, 10);
|
mod_config()->backlog = strtol(optarg, 0, 10);
|
||||||
|
} else if(util::strieq(opt, SHRPX_OPT_CIPHERS)) {
|
||||||
|
set_config_str(&mod_config()->ciphers, optarg);
|
||||||
} else if(util::strieq(opt, "conf")) {
|
} else if(util::strieq(opt, "conf")) {
|
||||||
LOG(WARNING) << "conf is ignored";
|
LOG(WARNING) << "conf is ignored";
|
||||||
} else {
|
} else {
|
||||||
|
|
|
||||||
|
|
@ -59,6 +59,7 @@ extern const char SHRPX_OPT_USER[];
|
||||||
extern const char SHRPX_OPT_SYSLOG[];
|
extern const char SHRPX_OPT_SYSLOG[];
|
||||||
extern const char SHRPX_OPT_SYSLOG_FACILITY[];
|
extern const char SHRPX_OPT_SYSLOG_FACILITY[];
|
||||||
extern const char SHRPX_OPT_BACKLOG[];
|
extern const char SHRPX_OPT_BACKLOG[];
|
||||||
|
extern const char SHRPX_OPT_CIPHERS[];
|
||||||
|
|
||||||
union sockaddr_union {
|
union sockaddr_union {
|
||||||
sockaddr sa;
|
sockaddr sa;
|
||||||
|
|
@ -102,6 +103,7 @@ struct Config {
|
||||||
// This member finally decides syslog is used or not
|
// This member finally decides syslog is used or not
|
||||||
bool use_syslog;
|
bool use_syslog;
|
||||||
int backlog;
|
int backlog;
|
||||||
|
char *ciphers;
|
||||||
Config();
|
Config();
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -96,6 +96,13 @@ SSL_CTX* create_ssl_context()
|
||||||
SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx)-1);
|
SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx)-1);
|
||||||
SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
|
SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
|
||||||
|
|
||||||
|
if(get_config()->ciphers) {
|
||||||
|
if(SSL_CTX_set_cipher_list(ssl_ctx, get_config()->ciphers) == 0) {
|
||||||
|
LOG(FATAL) << "SSL_CTX_set_cipher_list failed.";
|
||||||
|
DIE();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
|
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
|
||||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
|
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
|
||||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue