From af585dbd1d444faafa370a73c1db43aece731f85 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Sat, 15 Feb 2020 22:39:30 +0100 Subject: [PATCH] uclient-fetch: support specifying advertised TLS ciphers Introduce a new `--ciphers` option which allows specifying a colon separated list of usable TLS ciphers. Depending on the underlying ustream-ssl provider, the list either follows OpenSSL's cipher string format or, in case of mbedTLS, is a simple colon separated cipher whitelist. Signed-off-by: Jo-Philipp Wich --- uclient-fetch.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/uclient-fetch.c b/uclient-fetch.c index 38c9c53..a06be5d 100644 --- a/uclient-fetch.c +++ b/uclient-fetch.c @@ -467,6 +467,7 @@ static int usage(const char *progname) "HTTPS options:\n" " --ca-certificate= Load CA certificates from file \n" " --no-check-certificate don't validate the server's certificate\n" + " --ciphers= Set the cipher list string\n" "\n", progname); return 1; } @@ -510,6 +511,7 @@ static int no_ssl(const char *progname) enum { L_NO_CHECK_CERTIFICATE, L_CA_CERTIFICATE, + L_CIPHERS, L_USER, L_PASSWORD, L_USER_AGENT, @@ -525,6 +527,7 @@ enum { static const struct option longopts[] = { [L_NO_CHECK_CERTIFICATE] = { "no-check-certificate", no_argument }, [L_CA_CERTIFICATE] = { "ca-certificate", required_argument }, + [L_CIPHERS] = { "ciphers", required_argument }, [L_USER] = { "user", required_argument }, [L_PASSWORD] = { "password", required_argument }, [L_USER_AGENT] = { "user-agent", required_argument }, @@ -568,6 +571,15 @@ int main(int argc, char **argv) if (ssl_ctx) ssl_ops->context_add_ca_crt_file(ssl_ctx, optarg); break; + case L_CIPHERS: + if (ssl_ctx) { + if (ssl_ops->context_set_ciphers(ssl_ctx, optarg)) { + if (!quiet) + fprintf(stderr, "No recognized ciphers in cipher list\n"); + exit(1); + } + } + break; case L_USER: if (!strlen(optarg)) break; -- 2.25.1