kike: allow specifying the cipher list
This commit is contained in:
parent
3c1bbbc513
commit
f69ca8e54c
9
kike.c
9
kike.c
@ -31,6 +31,9 @@ enum { PIPE_READ, PIPE_WRITE };
|
||||
|
||||
// --- Configuration (application-specific) ------------------------------------
|
||||
|
||||
// Just get rid of the crappiest ciphers available by default
|
||||
#define DEFAULT_CIPHERS "DEFAULT:!MEDIUM:!LOW"
|
||||
|
||||
static struct config_item g_config_table[] =
|
||||
{
|
||||
{ "pid_file", NULL, "Path or name of the PID file" },
|
||||
@ -43,6 +46,7 @@ static struct config_item g_config_table[] =
|
||||
{ "bind_port", "6667", "Port of the IRC server" },
|
||||
{ "ssl_cert", NULL, "Server SSL certificate (PEM)" },
|
||||
{ "ssl_key", NULL, "Server SSL private key (PEM)" },
|
||||
{ "ssl_ciphers", DEFAULT_CIPHERS, "OpenSSL cipher list" },
|
||||
|
||||
{ "operators", NULL, "IRCop SSL cert. fingerprints" },
|
||||
|
||||
@ -3506,7 +3510,10 @@ irc_initialize_ssl_ctx (struct server_context *ctx,
|
||||
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
|
||||
|
||||
// XXX: perhaps we should read the files ourselves for better messages
|
||||
if (!SSL_CTX_use_certificate_chain_file (ctx->ssl_ctx, cert_path))
|
||||
const char *ciphers = str_map_find (&ctx->config, "ssl_ciphers");
|
||||
if (!SSL_CTX_set_cipher_list (ctx->ssl_ctx, ciphers))
|
||||
error_set (e, "failed to select any cipher from the cipher list");
|
||||
else if (!SSL_CTX_use_certificate_chain_file (ctx->ssl_ctx, cert_path))
|
||||
error_set (e, "%s: %s", "setting the SSL client certificate failed",
|
||||
ERR_error_string (ERR_get_error (), NULL));
|
||||
else if (!SSL_CTX_use_PrivateKey_file
|
||||
|
Loading…
Reference in New Issue
Block a user