nghttpx: Show default cipher list in -h

2017-01-09 14:43:13 +09:00 · 2017-01-09 14:43:13 +09:00 · cbca2e35b5
parent fc9bdf024f
commit cbca2e35b5
2 changed files with 11 additions and 17 deletions
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@ -1354,6 +1354,9 @@ void fill_default_config(Config *config) {
  }

  tlsconf.session_timeout = std::chrono::hours(12);
+  tlsconf.ciphers = StringRef::from_lit(nghttp2::ssl::DEFAULT_CIPHER_LIST);
+  tlsconf.client.ciphers =
+      StringRef::from_lit(nghttp2::ssl::DEFAULT_CIPHER_LIST);
 #if OPENSSL_1_1_API
  tlsconf.ecdh_curves = StringRef::from_lit("X25519:P-256:P-384:P-521");
 #else  // !OPENSSL_1_1_API
@ -1898,9 +1901,13 @@ SSL/TLS:
  --ciphers=<SUITE>
              Set allowed  cipher list  for frontend  connection.  The
              format of the string is described in OpenSSL ciphers(1).
+              Default: )"
+      << config->tls.ciphers << R"(
  --client-ciphers=<SUITE>
              Set  allowed cipher  list for  backend connection.   The
              format of the string is described in OpenSSL ciphers(1).
+              Default: )"
+      << config->tls.client.ciphers << R"(
  --ecdh-curves=<LIST>
              Set  supported  curve  list  for  frontend  connections.
              <LIST> is a  colon separated list of curve  NID or names
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@ -645,15 +645,8 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,

  SSL_CTX_set_timeout(ssl_ctx, tlsconf.session_timeout.count());

-  const char *ciphers;
-  if (!tlsconf.ciphers.empty()) {
-    ciphers = tlsconf.ciphers.c_str();
-  } else {
-    ciphers = nghttp2::ssl::DEFAULT_CIPHER_LIST;
-  }
-
-  if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) == 0) {
-    LOG(FATAL) << "SSL_CTX_set_cipher_list " << ciphers
+  if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.ciphers.c_str()) == 0) {
+    LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.ciphers
               << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
    DIE();
  }
@ -873,14 +866,8 @@ SSL_CTX *create_ssl_client_context(

  SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);

-  const char *ciphers;
-  if (!tlsconf.client.ciphers.empty()) {
-    ciphers = tlsconf.client.ciphers.c_str();
-  } else {
-    ciphers = nghttp2::ssl::DEFAULT_CIPHER_LIST;
-  }
-  if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) == 0) {
-    LOG(FATAL) << "SSL_CTX_set_cipher_list " << ciphers
+  if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.client.ciphers.c_str()) == 0) {
+    LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.client.ciphers
               << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
    DIE();
  }