diff --git a/src/shrpx.cc b/src/shrpx.cc index fa4fc379..a77efd0b 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -1354,6 +1354,9 @@ void fill_default_config(Config *config) { } tlsconf.session_timeout = std::chrono::hours(12); + tlsconf.ciphers = StringRef::from_lit(nghttp2::ssl::DEFAULT_CIPHER_LIST); + tlsconf.client.ciphers = + StringRef::from_lit(nghttp2::ssl::DEFAULT_CIPHER_LIST); #if OPENSSL_1_1_API tlsconf.ecdh_curves = StringRef::from_lit("X25519:P-256:P-384:P-521"); #else // !OPENSSL_1_1_API @@ -1898,9 +1901,13 @@ SSL/TLS: --ciphers= Set allowed cipher list for frontend connection. The format of the string is described in OpenSSL ciphers(1). + Default: )" + << config->tls.ciphers << R"( --client-ciphers= Set allowed cipher list for backend connection. The format of the string is described in OpenSSL ciphers(1). + Default: )" + << config->tls.client.ciphers << R"( --ecdh-curves= Set supported curve list for frontend connections. is a colon separated list of curve NID or names diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index eb1ea732..3351fea9 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -645,15 +645,8 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file, SSL_CTX_set_timeout(ssl_ctx, tlsconf.session_timeout.count()); - const char *ciphers; - if (!tlsconf.ciphers.empty()) { - ciphers = tlsconf.ciphers.c_str(); - } else { - ciphers = nghttp2::ssl::DEFAULT_CIPHER_LIST; - } - - if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) == 0) { - LOG(FATAL) << "SSL_CTX_set_cipher_list " << ciphers + if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.ciphers.c_str()) == 0) { + LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.ciphers << " failed: " << ERR_error_string(ERR_get_error(), nullptr); DIE(); } @@ -873,14 +866,8 @@ SSL_CTX *create_ssl_client_context( SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask); - const char *ciphers; - if (!tlsconf.client.ciphers.empty()) { - ciphers = tlsconf.client.ciphers.c_str(); - } else { - ciphers = nghttp2::ssl::DEFAULT_CIPHER_LIST; - } - if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) == 0) { - LOG(FATAL) << "SSL_CTX_set_cipher_list " << ciphers + if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.client.ciphers.c_str()) == 0) { + LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.client.ciphers << " failed: " << ERR_error_string(ERR_get_error(), nullptr); DIE(); }