11 May
2016
11 May
'16
12:50 a.m.
Enables SSL/TLS cipher server preference by default and allow it to be
disabled by a new configuration options.
Based on work by Matthias Hunstock.
Cc: Matthias Hunstock <matthias.hunstock(a)tu-ilmenau.de>
Signed-off-by: Simon Horman <horms(a)verge.net.au>
---
Lightly tested
v2
* New patch
diff -r 7ee220600234 -r ca74403f57d4 etc/perdition/perdition.conf
--- a/etc/perdition/perdition.conf Wed May 11 09:26:21 2016 +0900
+++ b/etc/perdition/perdition.conf Wed May 11 09:41:56 2016 +0900
@@ -439,3 +439,7 @@
# Allow SSL/TLS compression when making outgoing connections.
#ssl_outgoing_compression
+# ssl_no_cipher_server_preference
+# Disable SSL/TLS cipher server preference when accepting incoming
+# connections
+#ssl_no_cipher_server_preference
diff -r 7ee220600234 -r ca74403f57d4 perdition/options.c
--- a/perdition/options.c Wed May 11 09:26:21 2016 +0900
+++ b/perdition/options.c Wed May 11 09:41:56 2016 +0900
@@ -501,6 +501,8 @@
TAG_SSL_LISTEN_COMPRESSION, NULL, NULL},
{"ssl_outgoing_compression", '\0', POPT_ARG_NONE, NULL,
TAG_SSL_OUTGOING_COMPRESSION, NULL, NULL},
+ {"ssl_no_cipher_server_preference", '\0', POPT_ARG_NONE, NULL,
+ TAG_SSL_NO_CIPHER_SERVER_PREFERENCE, NULL, NULL},
{NULL, 0, 0, NULL,
0, NULL, NULL}
};
@@ -643,6 +645,8 @@
&i, 0, OPT_NOT_SET);
opt_i(&(opt.ssl_outgoing_compression), DEFAULT_SSL_OUTGOING_COMPRESSION,
&i, 0, OPT_NOT_SET);
+ opt_i(&(opt.ssl_no_cipher_server_preference),
+ DEFAULT_SSL_NO_CIPHER_SERVER_PREFERENCE, &i, 0, OPT_NOT_SET);
#endif /* WITH_SSL_SUPPORT */
}
@@ -1083,6 +1087,14 @@
NO_SSL_OPT("ssl_outgoing_compression");
#endif /* WITH_SSL_SUPPORT */
break;
+ case TAG_SSL_NO_CIPHER_SERVER_PREFERENCE:
+#ifdef WITH_SSL_SUPPORT
+ opt_i(&(opt.ssl_no_cipher_server_preference), 1, &(opt.ssl_mask),
+ MASK_SSL_NO_CIPHER_SERVER_PREFERENCE, f);
+#else /* WITH_SSL_SUPPORT */
+ NO_SSL_OPT("ssl_no_cipher_server_preference");
+#endif /* WITH_SSL_SUPPORT */
+ break;
default:
VANESSA_LOGGER_DEBUG_RAW("Unknown Option");
break;
@@ -1601,6 +1613,7 @@
"ssl_outgoing_max_proto_version=\"%s\", "
"ssl_listen_compression=\"%s\", "
"ssl_outgoing_compression=\"%s\", "
+ "ssl_no_cipher_server_preference=\"%s\", "
"(ssl_mask=0x%08x) ",
ssl_mode,
OPT_STR(opt.ssl_ca_file),
@@ -1625,6 +1638,7 @@
OPT_STR(opt.ssl_outgoing_max_proto_version),
BIN_OPT_STR(opt.ssl_listen_compression),
BIN_OPT_STR(opt.ssl_outgoing_compression),
+ BIN_OPT_STR(opt.ssl_no_cipher_server_preference),
opt.ssl_mask);
out[MAX_LINE_LENGTH - 1] = '\0';
@@ -1947,6 +1961,9 @@
" Allow SSL/TLS compression when accepting incoming connections.\n"
" --ssl_outgoing_compression\n"
" Allow SSL/TLS compression when making outgoing connections.\n"
+ " --ssl_no_cipher_server_preference\n"
+ " Disable SSL/TLS cipher server preference when accepting incoming\n"
+ " connections.\n"
#endif /* WITH_SSL_SUPPORT */
"\n"
" Notes: Default value for binary flags is off.\n"
diff -r 7ee220600234 -r ca74403f57d4 perdition/options.h
--- a/perdition/options.h Wed May 11 09:26:21 2016 +0900
+++ b/perdition/options.h Wed May 11 09:41:56 2016 +0900
@@ -187,6 +187,7 @@
#define DEFAULT_SSL_OUTGOING_MAX_PROTO_VERSION NULL
#define DEFAULT_SSL_LISTEN_COMPRESSION 0
#define DEFAULT_SSL_OUTGOING_COMPRESSION 0
+#define DEFAULT_SSL_NO_CIPHER_SERVER_PREFERENCE 0
#endif /* WITH_SSL_SUPPORT */
@@ -261,6 +262,7 @@
char *ssl_outgoing_max_proto_version;
int ssl_listen_compression;
int ssl_outgoing_compression;
+ int ssl_no_cipher_server_preference;
flag_t ssl_mask;
} options_t;
@@ -335,6 +337,7 @@
#define MASK_SSL_OUTGOING_MAX_PROTO_VERSION (flag_t) 0x00100000
#define MASK_SSL_LISTEN_COMPRESSION (flag_t) 0x00200000
#define MASK_SSL_OUTGOING_COMPRESSION (flag_t) 0x00400000
+#define MASK_SSL_NO_CIPHER_SERVER_PREFERENCE (flag_t) 0x00800000
#endif /* WITH_SSL_SUPPORT */
/*
@@ -379,6 +382,7 @@
#define TAG_SSL_OUTGOING_MAX_PROTO_VERSION (int) 161
#define TAG_SSL_LISTEN_COMPRESSION (int) 162
#define TAG_SSL_OUTGOING_COMPRESSION (int) 163
+#define TAG_SSL_NO_CIPHER_SERVER_PREFERENCE (int) 164
/*Flag values for options()*/
#define OPT_ERR (flag_t) 0x1 /*Print error to stderr, enable help*/
diff -r 7ee220600234 -r ca74403f57d4 perdition/perdition.8
--- a/perdition/perdition.8 Wed May 11 09:26:21 2016 +0900
+++ b/perdition/perdition.8 Wed May 11 09:41:56 2016 +0900
@@ -704,6 +704,9 @@
.B \-\-ssl_outgoing_compression:
Allow SSL/TLS compression when making outgoing connections.
.TP
+.B \-\-ssl_no_cipher_server_preference:
+Disable SSL/TLS cipher server preference when accepting incoming connections.
+.TP
Notes:
Default value for binary flags is off.
.br
diff -r 7ee220600234 -r ca74403f57d4 perdition/ssl.c
--- a/perdition/ssl.c Wed May 11 09:26:21 2016 +0900
+++ b/perdition/ssl.c Wed May 11 09:41:56 2016 +0900
@@ -678,6 +678,13 @@
}
/*
+ * Set cipher server preference
+ */
+ if ((flag == PERDITION_SSL_SERVER &&
+ !opt.ssl_no_cipher_server_preference))
+ SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+
+ /*
* Set the available ciphers
*/
if(ciphers && SSL_CTX_set_cipher_list(ssl_ctx, ciphers) < 0) {