changeset 942:d67d8e0db228 ssl-options

Provide SSL/TLS cipher server preference configuration option Enables SSL/TLS cipher server preference by default and allow it to be disabled by a new configuration options. Based on work by Matthias Hunstock. Cc: Matthias Hunstock <matthias.hunstock@tu-ilmenau.de> Signed-off-by: Simon Horman <horms@verge.net.au> --- Lightly tested v3 * Rebase onto tip from v2.1 v2 * New patch
author Simon Horman <horms@verge.net.au>
date Wed, 11 May 2016 09:41:56 +0900
parents 440bad5e5ba4
children 96a24b495d6b
files etc/perdition/perdition.conf perdition/options.c perdition/options.h perdition/perdition.8 perdition/ssl.c
diffstat 5 files changed, 35 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/etc/perdition/perdition.conf	Wed May 11 09:26:21 2016 +0900
+++ b/etc/perdition/perdition.conf	Wed May 11 09:41:56 2016 +0900
@@ -444,3 +444,7 @@
 # Allow SSL/TLS compression when making outgoing connections.
 #ssl_outgoing_compression
 
+# ssl_no_cipher_server_preference
+# Disable SSL/TLS cipher server preference when accepting incoming
+# connections
+#ssl_no_cipher_server_preference
--- a/perdition/options.c	Wed May 11 09:26:21 2016 +0900
+++ b/perdition/options.c	Wed May 11 09:41:56 2016 +0900
@@ -503,6 +503,8 @@
       TAG_SSL_LISTEN_COMPRESSION, NULL, NULL},
     {"ssl_outgoing_compression", '\0', POPT_ARG_NONE, NULL,
       TAG_SSL_OUTGOING_COMPRESSION, NULL, NULL},
+    {"ssl_no_cipher_server_preference", '\0', POPT_ARG_NONE, NULL,
+      TAG_SSL_NO_CIPHER_SERVER_PREFERENCE, NULL, NULL},
     {NULL,                           0,   0,               NULL,
      0, NULL, NULL}
   };
@@ -646,6 +648,8 @@
 	  &i, 0, OPT_NOT_SET);
     opt_i(&(opt.ssl_outgoing_compression), DEFAULT_SSL_OUTGOING_COMPRESSION,
 	  &i, 0, OPT_NOT_SET);
+    opt_i(&(opt.ssl_no_cipher_server_preference),
+	  DEFAULT_SSL_NO_CIPHER_SERVER_PREFERENCE, &i, 0, OPT_NOT_SET);
 #endif /* WITH_SSL_SUPPORT */
   }
 
@@ -1094,6 +1098,14 @@
 	NO_SSL_OPT("ssl_outgoing_compression");
 #endif /* WITH_SSL_SUPPORT */
         break;
+      case TAG_SSL_NO_CIPHER_SERVER_PREFERENCE:
+#ifdef WITH_SSL_SUPPORT
+        opt_i(&(opt.ssl_no_cipher_server_preference), 1, &(opt.ssl_mask),
+			MASK_SSL_NO_CIPHER_SERVER_PREFERENCE, f);
+#else /* WITH_SSL_SUPPORT */
+	NO_SSL_OPT("ssl_no_cipher_server_preference");
+#endif /* WITH_SSL_SUPPORT */
+        break;
       default:
         VANESSA_LOGGER_DEBUG_RAW("Unknown Option");
         break;
@@ -1612,6 +1624,7 @@
 		 "ssl_outgoing_max_proto_version=\"%s\", "
 		 "ssl_listen_compression=\"%s\", "
 		 "ssl_outgoing_compression=\"%s\", "
+		 "ssl_no_cipher_server_preference=\"%s\", "
 		 "(ssl_mask=0x%08x) ",
 		 ssl_mode,
 		 OPT_STR(opt.ssl_ca_file),
@@ -1636,6 +1649,7 @@
 		 OPT_STR(opt.ssl_outgoing_max_proto_version),
 		 BIN_OPT_STR(opt.ssl_listen_compression),
 		 BIN_OPT_STR(opt.ssl_outgoing_compression),
+		 BIN_OPT_STR(opt.ssl_no_cipher_server_preference),
 		 opt.ssl_mask);
 	out[MAX_LINE_LENGTH - 1] = '\0';
 
@@ -1958,6 +1972,9 @@
     "    Allow SSL/TLS compression when accepting incoming connections.\n"
     " --ssl_outgoing_compression\n"
     "    Allow SSL/TLS compression when making outgoing connections.\n"
+    " --ssl_no_cipher_server_preference\n"
+    "    Disable SSL/TLS cipher server preference when accepting incoming\n"
+    "    connections.\n"
 #endif /* WITH_SSL_SUPPORT */
     "\n"
     " Notes: Default value for binary flags is off.\n"
--- a/perdition/options.h	Wed May 11 09:26:21 2016 +0900
+++ b/perdition/options.h	Wed May 11 09:41:56 2016 +0900
@@ -188,6 +188,7 @@
 #define DEFAULT_SSL_OUTGOING_MAX_PROTO_VERSION NULL
 #define DEFAULT_SSL_LISTEN_COMPRESSION       0
 #define DEFAULT_SSL_OUTGOING_COMPRESSION     0
+#define DEFAULT_SSL_NO_CIPHER_SERVER_PREFERENCE 0
 #endif /* WITH_SSL_SUPPORT */
 
 
@@ -263,6 +264,7 @@
   char            *ssl_outgoing_max_proto_version;
   int             ssl_listen_compression;
   int             ssl_outgoing_compression;
+  int             ssl_no_cipher_server_preference;
   flag_t          ssl_mask;
 } options_t;
 
@@ -338,6 +340,7 @@
 #define MASK_SSL_OUTGOING_MAX_PROTO_VERSION    (flag_t) 0x00200000
 #define MASK_SSL_LISTEN_COMPRESSION            (flag_t) 0x00400000
 #define MASK_SSL_OUTGOING_COMPRESSION          (flag_t) 0x00800000
+#define MASK_SSL_NO_CIPHER_SERVER_PREFERENCE   (flag_t) 0x01000000
 #endif /* WITH_SSL_SUPPORT */
 
 /* 
@@ -383,6 +386,7 @@
 #define TAG_SSL_OUTGOING_MAX_PROTO_VERSION     (int) 162
 #define TAG_SSL_LISTEN_COMPRESSION             (int) 163
 #define TAG_SSL_OUTGOING_COMPRESSION           (int) 164
+#define TAG_SSL_NO_CIPHER_SERVER_PREFERENCE    (int) 165
 
 /*Flag values for options()*/
 #define OPT_ERR         (flag_t) 0x1  /*Print error to stderr, enable help*/
--- a/perdition/perdition.8	Wed May 11 09:26:21 2016 +0900
+++ b/perdition/perdition.8	Wed May 11 09:41:56 2016 +0900
@@ -710,6 +710,9 @@
 .B \-\-ssl_outgoing_compression:
 Allow SSL/TLS compression when making outgoing connections.
 .TP
+.B \-\-ssl_no_cipher_server_preference:
+Disable SSL/TLS cipher server preference when accepting incoming connections.
+.TP
 Notes: 
 Default value for binary flags is off.
 .br
--- a/perdition/ssl.c	Wed May 11 09:26:21 2016 +0900
+++ b/perdition/ssl.c	Wed May 11 09:41:56 2016 +0900
@@ -688,6 +688,13 @@
 	}
 
 	/*
+	 * Set cipher server preference
+	 */
+	if ((flag == PERDITION_SSL_SERVER &&
+	     !opt.ssl_no_cipher_server_preference))
+		SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+
+	/*
 	 * Load the Diffie-Hellman parameters:
 	 */
 	if (flag & PERDITION_SSL_SERVER &&