diff options
Diffstat (limited to '')
-rw-r--r-- | doc-jp/README.SSL | 3 | ||||
-rw-r--r-- | fm.h | 5 | ||||
-rw-r--r-- | rc.c | 3 | ||||
-rw-r--r-- | url.c | 8 |
4 files changed, 16 insertions, 3 deletions
diff --git a/doc-jp/README.SSL b/doc-jp/README.SSL index 5899bc8..0542ffd 100644 --- a/doc-jp/README.SSL +++ b/doc-jp/README.SSL @@ -27,6 +27,9 @@ SSL サポートについて 使わないSSLメソッドのリスト(2: SSLv2, 3: SSLv3, t: TLSv1.0, 5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3) (デフォルトは2, 3). + ssl_ciphers + TLSv1.2以下用のSSL暗号(例: DEFAULT:@SECLEVEL=2) (デフォルトは + OpenSSL 1.1以上なら<NULL>、それ以外なら"DEFAULT:!LOW:!RC4:!EXP"). ssl_verify_server ON/OFF SSLのサーバ認証を行う(デフォルトはON). ssl_cert_file ファイル名 @@ -1191,7 +1191,12 @@ global int ssl_path_modified init(FALSE); * defined(USE_SSL_VERIFY) */ #ifdef USE_SSL global char *ssl_forbid_method init("2, 3"); +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) +global char *ssl_cipher init("DEFAULT:!LOW:!RC4:!EXP"); +#else +global char *ssl_cipher init(NULL); #endif +#endif /* USE_SSL */ global int is_redisplay init(FALSE); global int clear_buffer init(TRUE); @@ -205,6 +205,7 @@ static int OptionEncode = FALSE; #define CMT_SSL_CA_FILE N_("File consisting of PEM encoded certificates of CAs") #endif /* USE_SSL_VERIFY */ #define CMT_SSL_FORBID_METHOD N_("List of forbidden SSL methods (2: SSLv2, 3: SSLv3, t: TLSv1.0, 5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)") +#define CMT_SSL_CIPHER N_("SSL ciphers for TLSv1.2 and below (e.g. DEFAULT:@SECLEVEL=2)") #endif /* USE_SSL */ #ifdef USE_COOKIE #define CMT_USECOOKIE N_("Enable cookie processing") @@ -612,6 +613,8 @@ struct param_ptr params6[] = { struct param_ptr params7[] = { {"ssl_forbid_method", P_STRING, PI_TEXT, (void *)&ssl_forbid_method, CMT_SSL_FORBID_METHOD, NULL}, + {"ssl_cipher", P_STRING, PI_TEXT, (void *)&ssl_cipher, CMT_SSL_CIPHER, + NULL}, #ifdef USE_SSL_VERIFY {"ssl_verify_server", P_INT, PI_ONOFF, (void *)&ssl_verify_server, CMT_SSL_VERIFY_SERVER, NULL}, @@ -336,9 +336,11 @@ openSSLHandle(int sock, char *hostname, char **p_cert) #endif if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method()))) goto eend; -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP"); -#endif + if (ssl_cipher && *ssl_cipher != '\0') + if (!SSL_CTX_set_cipher_list(ssl_ctx, ssl_cipher)) { + free_ssl_ctx(); + goto eend; + } option = SSL_OP_ALL; if (ssl_forbid_method) { if (strchr(ssl_forbid_method, '2')) |