From c01675d34288018e46d8b92aacacac4151a85d8f Mon Sep 17 00:00:00 2001 From: Tatsuya Kinoshita Date: Wed, 10 Feb 2021 19:20:37 +0900 Subject: New option ssl_cipher to specify ciphers for TLSv1.2 and below --- doc-jp/README.SSL | 3 +++ fm.h | 5 +++++ rc.c | 3 +++ url.c | 8 +++++--- 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/doc-jp/README.SSL b/doc-jp/README.SSL index 5899bc8..0542ffd 100644 --- a/doc-jp/README.SSL +++ b/doc-jp/README.SSL @@ -27,6 +27,9 @@ SSL サポートについて 使わないSSLメソッドのリスト(2: SSLv2, 3: SSLv3, t: TLSv1.0, 5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3) (デフォルトは2, 3). + ssl_ciphers + TLSv1.2以下用のSSL暗号(例: DEFAULT:@SECLEVEL=2) (デフォルトは + OpenSSL 1.1以上なら、それ以外なら"DEFAULT:!LOW:!RC4:!EXP"). ssl_verify_server ON/OFF SSLのサーバ認証を行う(デフォルトはON). ssl_cert_file ファイル名 diff --git a/fm.h b/fm.h index 216cd53..9d1995e 100644 --- a/fm.h +++ b/fm.h @@ -1191,7 +1191,12 @@ global int ssl_path_modified init(FALSE); * defined(USE_SSL_VERIFY) */ #ifdef USE_SSL global char *ssl_forbid_method init("2, 3"); +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) +global char *ssl_cipher init("DEFAULT:!LOW:!RC4:!EXP"); +#else +global char *ssl_cipher init(NULL); #endif +#endif /* USE_SSL */ global int is_redisplay init(FALSE); global int clear_buffer init(TRUE); diff --git a/rc.c b/rc.c index 35e262c..521e830 100644 --- a/rc.c +++ b/rc.c @@ -205,6 +205,7 @@ static int OptionEncode = FALSE; #define CMT_SSL_CA_FILE N_("File consisting of PEM encoded certificates of CAs") #endif /* USE_SSL_VERIFY */ #define CMT_SSL_FORBID_METHOD N_("List of forbidden SSL methods (2: SSLv2, 3: SSLv3, t: TLSv1.0, 5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)") +#define CMT_SSL_CIPHER N_("SSL ciphers for TLSv1.2 and below (e.g. DEFAULT:@SECLEVEL=2)") #endif /* USE_SSL */ #ifdef USE_COOKIE #define CMT_USECOOKIE N_("Enable cookie processing") @@ -612,6 +613,8 @@ struct param_ptr params6[] = { struct param_ptr params7[] = { {"ssl_forbid_method", P_STRING, PI_TEXT, (void *)&ssl_forbid_method, CMT_SSL_FORBID_METHOD, NULL}, + {"ssl_cipher", P_STRING, PI_TEXT, (void *)&ssl_cipher, CMT_SSL_CIPHER, + NULL}, #ifdef USE_SSL_VERIFY {"ssl_verify_server", P_INT, PI_ONOFF, (void *)&ssl_verify_server, CMT_SSL_VERIFY_SERVER, NULL}, diff --git a/url.c b/url.c index 5cb171d..c7eeb16 100644 --- a/url.c +++ b/url.c @@ -336,9 +336,11 @@ openSSLHandle(int sock, char *hostname, char **p_cert) #endif if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method()))) goto eend; -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP"); -#endif + if (ssl_cipher && *ssl_cipher != '\0') + if (!SSL_CTX_set_cipher_list(ssl_ctx, ssl_cipher)) { + free_ssl_ctx(); + goto eend; + } option = SSL_OP_ALL; if (ssl_forbid_method) { if (strchr(ssl_forbid_method, '2')) -- cgit v1.2.3