From cbca2e35b5121ac78530d6380891f02007062304 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Mon, 9 Jan 2017 14:43:13 +0900
Subject: [PATCH] nghttpx: Show default cipher list in -h

---
 src/shrpx.cc     |  7 +++++++
 src/shrpx_ssl.cc | 21 ++++-----------------
 2 files changed, 11 insertions(+), 17 deletions(-)

diff --git a/src/shrpx.cc b/src/shrpx.cc
index fa4fc379..a77efd0b 100644
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@@ -1354,6 +1354,9 @@ void fill_default_config(Config *config) {
   }
 
   tlsconf.session_timeout = std::chrono::hours(12);
+  tlsconf.ciphers = StringRef::from_lit(nghttp2::ssl::DEFAULT_CIPHER_LIST);
+  tlsconf.client.ciphers =
+      StringRef::from_lit(nghttp2::ssl::DEFAULT_CIPHER_LIST);
 #if OPENSSL_1_1_API
   tlsconf.ecdh_curves = StringRef::from_lit("X25519:P-256:P-384:P-521");
 #else  // !OPENSSL_1_1_API
@@ -1898,9 +1901,13 @@ SSL/TLS:
   --ciphers=<SUITE>
               Set allowed  cipher list  for frontend  connection.  The
               format of the string is described in OpenSSL ciphers(1).
+              Default: )"
+      << config->tls.ciphers << R"(
   --client-ciphers=<SUITE>
               Set  allowed cipher  list for  backend connection.   The
               format of the string is described in OpenSSL ciphers(1).
+              Default: )"
+      << config->tls.client.ciphers << R"(
   --ecdh-curves=<LIST>
               Set  supported  curve  list  for  frontend  connections.
               <LIST> is a  colon separated list of curve  NID or names
diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc
index eb1ea732..3351fea9 100644
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@@ -645,15 +645,8 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
 
   SSL_CTX_set_timeout(ssl_ctx, tlsconf.session_timeout.count());
 
-  const char *ciphers;
-  if (!tlsconf.ciphers.empty()) {
-    ciphers = tlsconf.ciphers.c_str();
-  } else {
-    ciphers = nghttp2::ssl::DEFAULT_CIPHER_LIST;
-  }
-
-  if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) == 0) {
-    LOG(FATAL) << "SSL_CTX_set_cipher_list " << ciphers
+  if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.ciphers.c_str()) == 0) {
+    LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.ciphers
                << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
     DIE();
   }
@@ -873,14 +866,8 @@ SSL_CTX *create_ssl_client_context(
 
   SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
 
-  const char *ciphers;
-  if (!tlsconf.client.ciphers.empty()) {
-    ciphers = tlsconf.client.ciphers.c_str();
-  } else {
-    ciphers = nghttp2::ssl::DEFAULT_CIPHER_LIST;
-  }
-  if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) == 0) {
-    LOG(FATAL) << "SSL_CTX_set_cipher_list " << ciphers
+  if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.client.ciphers.c_str()) == 0) {
+    LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.client.ciphers
                << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
     DIE();
   }