From 5fc551d620bb353dbac68fe4d23da12784575118 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Sat, 15 Feb 2020 21:35:40 +0100 Subject: [PATCH] tls: support specifying accepted TLS ciphers Introduce a new `-P` option which allows specifying a colon separated list of accepted TLS ciphers. Depending on the underlying ustream-ssl provider, the list either follows OpenSSL's cipher string format or, in case of mbedTLS, is a simple colon separated cipher whitelist. Signed-off-by: Jo-Philipp Wich --- main.c | 12 +++++++++--- tls.c | 7 ++++++- tls.h | 4 ++-- 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/main.c b/main.c index 6c29afe..26e74ec 100644 --- a/main.c +++ b/main.c @@ -139,6 +139,7 @@ static int usage(const char *name) " -s [addr:]port Like -p but provide HTTPS on this port\n" " -C file ASN.1 server certificate file\n" " -K file ASN.1 server private key file\n" + " -P ciphers Colon separated list of allowed TLS ciphers\n" " -q Redirect all HTTP requests to HTTPS\n" #endif " -h directory Specify the document root, default is '.'\n" @@ -249,7 +250,7 @@ int main(int argc, char **argv) int bound = 0; #ifdef HAVE_TLS int n_tls = 0; - const char *tls_key = NULL, *tls_crt = NULL; + const char *tls_key = NULL, *tls_crt = NULL, *tls_ciphers = NULL; #endif #ifdef HAVE_LUA const char *lua_prefix = NULL, *lua_handler = NULL; @@ -261,7 +262,7 @@ int main(int argc, char **argv) init_defaults_pre(); signal(SIGPIPE, SIG_IGN); - while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) { + while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) { switch(ch) { #ifdef HAVE_TLS case 'C': @@ -272,6 +273,10 @@ int main(int argc, char **argv) tls_key = optarg; break; + case 'P': + tls_ciphers = optarg; + break; + case 'q': conf.tls_redirect = 1; break; @@ -282,6 +287,7 @@ int main(int argc, char **argv) #else case 'C': case 'K': + case 'P': case 'q': case 's': fprintf(stderr, "uhttpd: TLS support not compiled, " @@ -523,7 +529,7 @@ int main(int argc, char **argv) return 1; } - if (uh_tls_init(tls_key, tls_crt)) + if (uh_tls_init(tls_key, tls_crt, tls_ciphers)) return 1; } #endif diff --git a/tls.c b/tls.c index d969b82..1da0881 100644 --- a/tls.c +++ b/tls.c @@ -31,7 +31,7 @@ static struct ustream_ssl_ops *ops; static void *dlh; static void *ctx; -int uh_tls_init(const char *key, const char *crt) +int uh_tls_init(const char *key, const char *crt, const char *ciphers) { static bool _init = false; @@ -63,6 +63,11 @@ int uh_tls_init(const char *key, const char *crt) return -EINVAL; } + if (ciphers && ops->context_set_ciphers(ctx, ciphers)) { + fprintf(stderr, "No recognized ciphers in cipher list\n"); + return -EINVAL; + } + return 0; } diff --git a/tls.h b/tls.h index 9be74ba..f457cb7 100644 --- a/tls.h +++ b/tls.h @@ -22,13 +22,13 @@ #ifdef HAVE_TLS -int uh_tls_init(const char *key, const char *crt); +int uh_tls_init(const char *key, const char *crt, const char *ciphers); void uh_tls_client_attach(struct client *cl); void uh_tls_client_detach(struct client *cl); #else -static inline int uh_tls_init(const char *key, const char *crt) +static inline int uh_tls_init(const char *key, const char *crt, const char *ciphers) { return -1; } -- 2.30.2