uclient-fetch: support specifying advertised TLS ciphers

Introduce a new `--ciphers` option which allows specifying a colon separated
list of usable TLS ciphers.

Depending on the underlying ustream-ssl provider, the list either follows
OpenSSL's cipher string format or, in case of mbedTLS, is a simple colon
separated cipher whitelist.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/uclient-fetch.c b/uclient-fetch.c
index 38c9c53e35c7f20c4f36d059f5f25673a4e81176..a06be5df929d9cbcb2aa72464bd29bab24024000 100644 (file)
--- a/uclient-fetch.c
+++ b/uclient-fetch.c
@@ -467,6 +467,7 @@ static int usage(const char *progname)
                "HTTPS options:\n"
                "       --ca-certificate=<cert>         Load CA certificates from file <cert>\n"
                "       --no-check-certificate          don't validate the server's certificate\n"
+               "       --ciphers=<cipherlist>          Set the cipher list string\n"
                "\n", progname);
        return 1;
 }
@@ -510,6 +511,7 @@ static int no_ssl(const char *progname)
 enum {
        L_NO_CHECK_CERTIFICATE,
        L_CA_CERTIFICATE,
+       L_CIPHERS,
        L_USER,
        L_PASSWORD,
        L_USER_AGENT,
@@ -525,6 +527,7 @@ enum {
 static const struct option longopts[] = {
        [L_NO_CHECK_CERTIFICATE] = { "no-check-certificate", no_argument },
        [L_CA_CERTIFICATE] = { "ca-certificate", required_argument },
+       [L_CIPHERS] = { "ciphers", required_argument },
        [L_USER] = { "user", required_argument },
        [L_PASSWORD] = { "password", required_argument },
        [L_USER_AGENT] = { "user-agent", required_argument },
@@ -568,6 +571,15 @@ int main(int argc, char **argv)
                                if (ssl_ctx)
                                        ssl_ops->context_add_ca_crt_file(ssl_ctx, optarg);
                                break;
+                       case L_CIPHERS:
+                               if (ssl_ctx) {
+                                       if (ssl_ops->context_set_ciphers(ssl_ctx, optarg)) {
+                                               if (!quiet)
+                                                       fprintf(stderr, "No recognized ciphers in cipher list\n");
+                                               exit(1);
+                                       }
+                               }
+                               break;
                        case L_USER:
                                if (!strlen(optarg))
                                        break;