aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2021-02-10 10:20:37 +0000
committerTatsuya Kinoshita <tats@debian.org>2021-02-10 11:01:56 +0000
commitc01675d34288018e46d8b92aacacac4151a85d8f (patch)
tree56a06ebbb3bd787682a429bee9313883117d49ae
parentUpdate ChangeLog (diff)
downloadw3m-c01675d34288018e46d8b92aacacac4151a85d8f.tar.gz
w3m-c01675d34288018e46d8b92aacacac4151a85d8f.zip
New option ssl_cipher to specify ciphers for TLSv1.2 and below
-rw-r--r--doc-jp/README.SSL3
-rw-r--r--fm.h5
-rw-r--r--rc.c3
-rw-r--r--url.c8
4 files changed, 16 insertions, 3 deletions
diff --git a/doc-jp/README.SSL b/doc-jp/README.SSL
index 5899bc8..0542ffd 100644
--- a/doc-jp/README.SSL
+++ b/doc-jp/README.SSL
@@ -27,6 +27,9 @@ SSL サポートについて
使わないSSLメソッドのリスト(2: SSLv2, 3: SSLv3, t: TLSv1.0,
5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)
(デフォルトは2, 3).
+ ssl_ciphers
+ TLSv1.2以下用のSSL暗号(例: DEFAULT:@SECLEVEL=2) (デフォルトは
+ OpenSSL 1.1以上なら<NULL>、それ以外なら"DEFAULT:!LOW:!RC4:!EXP").
ssl_verify_server ON/OFF
SSLのサーバ認証を行う(デフォルトはON).
ssl_cert_file ファイル名
diff --git a/fm.h b/fm.h
index 216cd53..9d1995e 100644
--- a/fm.h
+++ b/fm.h
@@ -1191,7 +1191,12 @@ global int ssl_path_modified init(FALSE);
* defined(USE_SSL_VERIFY) */
#ifdef USE_SSL
global char *ssl_forbid_method init("2, 3");
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+global char *ssl_cipher init("DEFAULT:!LOW:!RC4:!EXP");
+#else
+global char *ssl_cipher init(NULL);
#endif
+#endif /* USE_SSL */
global int is_redisplay init(FALSE);
global int clear_buffer init(TRUE);
diff --git a/rc.c b/rc.c
index 35e262c..521e830 100644
--- a/rc.c
+++ b/rc.c
@@ -205,6 +205,7 @@ static int OptionEncode = FALSE;
#define CMT_SSL_CA_FILE N_("File consisting of PEM encoded certificates of CAs")
#endif /* USE_SSL_VERIFY */
#define CMT_SSL_FORBID_METHOD N_("List of forbidden SSL methods (2: SSLv2, 3: SSLv3, t: TLSv1.0, 5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)")
+#define CMT_SSL_CIPHER N_("SSL ciphers for TLSv1.2 and below (e.g. DEFAULT:@SECLEVEL=2)")
#endif /* USE_SSL */
#ifdef USE_COOKIE
#define CMT_USECOOKIE N_("Enable cookie processing")
@@ -612,6 +613,8 @@ struct param_ptr params6[] = {
struct param_ptr params7[] = {
{"ssl_forbid_method", P_STRING, PI_TEXT, (void *)&ssl_forbid_method,
CMT_SSL_FORBID_METHOD, NULL},
+ {"ssl_cipher", P_STRING, PI_TEXT, (void *)&ssl_cipher, CMT_SSL_CIPHER,
+ NULL},
#ifdef USE_SSL_VERIFY
{"ssl_verify_server", P_INT, PI_ONOFF, (void *)&ssl_verify_server,
CMT_SSL_VERIFY_SERVER, NULL},
diff --git a/url.c b/url.c
index 5cb171d..c7eeb16 100644
--- a/url.c
+++ b/url.c
@@ -336,9 +336,11 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
#endif
if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method())))
goto eend;
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
- SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP");
-#endif
+ if (ssl_cipher && *ssl_cipher != '\0')
+ if (!SSL_CTX_set_cipher_list(ssl_ctx, ssl_cipher)) {
+ free_ssl_ctx();
+ goto eend;
+ }
option = SSL_OP_ALL;
if (ssl_forbid_method) {
if (strchr(ssl_forbid_method, '2'))