walkero
/
nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

nghttpx: Show default cipher list in -h

This commit is contained in:
Tatsuhiro Tsujikawa 2017-01-09 14:43:13 +09:00
parent fc9bdf024f
commit cbca2e35b5
2 changed files with 11 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/shrpx.cc
View File

@ -1354,6 +1354,9 @@ void fill_default_config(Config *config) {
} }
tlsconf.session_timeout = std::chrono::hours(12); tlsconf.session_timeout = std::chrono::hours(12);
tlsconf.ciphers = StringRef::from_lit(nghttp2::ssl::DEFAULT_CIPHER_LIST);
tlsconf.client.ciphers =
StringRef::from_lit(nghttp2::ssl::DEFAULT_CIPHER_LIST);
#if OPENSSL_1_1_API #if OPENSSL_1_1_API
tlsconf.ecdh_curves = StringRef::from_lit("X25519:P-256:P-384:P-521"); tlsconf.ecdh_curves = StringRef::from_lit("X25519:P-256:P-384:P-521");
#else // !OPENSSL_1_1_API #else // !OPENSSL_1_1_API
@ -1898,9 +1901,13 @@ SSL/TLS:
--ciphers=<SUITE> --ciphers=<SUITE>
Set allowed cipher list for frontend connection. The Set allowed cipher list for frontend connection. The
format of the string is described in OpenSSL ciphers(1). format of the string is described in OpenSSL ciphers(1).
Default: )"
<< config->tls.ciphers << R"(
--client-ciphers=<SUITE> --client-ciphers=<SUITE>
Set allowed cipher list for backend connection. The Set allowed cipher list for backend connection. The
format of the string is described in OpenSSL ciphers(1). format of the string is described in OpenSSL ciphers(1).
Default: )"
<< config->tls.client.ciphers << R"(
--ecdh-curves=<LIST> --ecdh-curves=<LIST>
Set supported curve list for frontend connections. Set supported curve list for frontend connections.
<LIST> is a colon separated list of curve NID or names <LIST> is a colon separated list of curve NID or names

21
src/shrpx_ssl.cc
View File

@ -645,15 +645,8 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
SSL_CTX_set_timeout(ssl_ctx, tlsconf.session_timeout.count()); SSL_CTX_set_timeout(ssl_ctx, tlsconf.session_timeout.count());
const char *ciphers; if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.ciphers.c_str()) == 0) {
if (!tlsconf.ciphers.empty()) { LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.ciphers
ciphers = tlsconf.ciphers.c_str();
} else {
ciphers = nghttp2::ssl::DEFAULT_CIPHER_LIST;
}
if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) == 0) {
LOG(FATAL) << "SSL_CTX_set_cipher_list " << ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr); << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
DIE(); DIE();
} }
@ -873,14 +866,8 @@ SSL_CTX *create_ssl_client_context(
SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask); SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
const char *ciphers; if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.client.ciphers.c_str()) == 0) {
if (!tlsconf.client.ciphers.empty()) { LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.client.ciphers
ciphers = tlsconf.client.ciphers.c_str();
} else {
ciphers = nghttp2::ssl::DEFAULT_CIPHER_LIST;
}
if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) == 0) {
LOG(FATAL) << "SSL_CTX_set_cipher_list " << ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr); << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
DIE(); DIE();
} }