Introduce a new `-P` option which allows specifying a colon separated list
of accepted TLS ciphers.
Depending on the underlying ustream-ssl provider, the list either follows
OpenSSL's cipher string format or, in case of mbedTLS, is a simple colon
separated cipher whitelist.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
" -s [addr:]port Like -p but provide HTTPS on this port\n"
" -C file ASN.1 server certificate file\n"
" -K file ASN.1 server private key file\n"
" -s [addr:]port Like -p but provide HTTPS on this port\n"
" -C file ASN.1 server certificate file\n"
" -K file ASN.1 server private key file\n"
+ " -P ciphers Colon separated list of allowed TLS ciphers\n"
" -q Redirect all HTTP requests to HTTPS\n"
#endif
" -h directory Specify the document root, default is '.'\n"
" -q Redirect all HTTP requests to HTTPS\n"
#endif
" -h directory Specify the document root, default is '.'\n"
int bound = 0;
#ifdef HAVE_TLS
int n_tls = 0;
int bound = 0;
#ifdef HAVE_TLS
int n_tls = 0;
- const char *tls_key = NULL, *tls_crt = NULL;
+ const char *tls_key = NULL, *tls_crt = NULL, *tls_ciphers = NULL;
#endif
#ifdef HAVE_LUA
const char *lua_prefix = NULL, *lua_handler = NULL;
#endif
#ifdef HAVE_LUA
const char *lua_prefix = NULL, *lua_handler = NULL;
init_defaults_pre();
signal(SIGPIPE, SIG_IGN);
init_defaults_pre();
signal(SIGPIPE, SIG_IGN);
- while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
+ while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
switch(ch) {
#ifdef HAVE_TLS
case 'C':
switch(ch) {
#ifdef HAVE_TLS
case 'C':
+ case 'P':
+ tls_ciphers = optarg;
+ break;
+
case 'q':
conf.tls_redirect = 1;
break;
case 'q':
conf.tls_redirect = 1;
break;
#else
case 'C':
case 'K':
#else
case 'C':
case 'K':
case 'q':
case 's':
fprintf(stderr, "uhttpd: TLS support not compiled, "
case 'q':
case 's':
fprintf(stderr, "uhttpd: TLS support not compiled, "
- if (uh_tls_init(tls_key, tls_crt))
+ if (uh_tls_init(tls_key, tls_crt, tls_ciphers))
static void *dlh;
static void *ctx;
static void *dlh;
static void *ctx;
-int uh_tls_init(const char *key, const char *crt)
+int uh_tls_init(const char *key, const char *crt, const char *ciphers)
{
static bool _init = false;
{
static bool _init = false;
+ if (ciphers && ops->context_set_ciphers(ctx, ciphers)) {
+ fprintf(stderr, "No recognized ciphers in cipher list\n");
+ return -EINVAL;
+ }
+
-int uh_tls_init(const char *key, const char *crt);
+int uh_tls_init(const char *key, const char *crt, const char *ciphers);
void uh_tls_client_attach(struct client *cl);
void uh_tls_client_detach(struct client *cl);
#else
void uh_tls_client_attach(struct client *cl);
void uh_tls_client_detach(struct client *cl);
#else
-static inline int uh_tls_init(const char *key, const char *crt)
+static inline int uh_tls_init(const char *key, const char *crt, const char *ciphers)