kike: allow specifying the cipher list

2015-07-12 17:34:44 +02:00 · 2015-07-12 17:34:44 +02:00 · f69ca8e54c
parent 3c1bbbc513
commit f69ca8e54c
1 changed files with 8 additions and 1 deletions
--- a/kike.c
+++ b/kike.c
@ -31,6 +31,9 @@ enum { PIPE_READ, PIPE_WRITE };

 // --- Configuration (application-specific) ------------------------------------

+// Just get rid of the crappiest ciphers available by default
+#define DEFAULT_CIPHERS "DEFAULT:!MEDIUM:!LOW"
+
 static struct config_item g_config_table[] =
 {
 	{ "pid_file",        NULL,              "Path or name of the PID file"   },
@ -43,6 +46,7 @@ static struct config_item g_config_table[] =
 	{ "bind_port",       "6667",            "Port of the IRC server"         },
 	{ "ssl_cert",        NULL,              "Server SSL certificate (PEM)"   },
 	{ "ssl_key",         NULL,              "Server SSL private key (PEM)"   },
+	{ "ssl_ciphers",     DEFAULT_CIPHERS,   "OpenSSL cipher list"            },

 	{ "operators",       NULL,              "IRCop SSL cert. fingerprints"   },

@ -3506,7 +3510,10 @@ irc_initialize_ssl_ctx (struct server_context *ctx,
 		SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);

 	// XXX: perhaps we should read the files ourselves for better messages
-	if (!SSL_CTX_use_certificate_chain_file (ctx->ssl_ctx, cert_path))
+	const char *ciphers = str_map_find (&ctx->config, "ssl_ciphers");
+	if (!SSL_CTX_set_cipher_list (ctx->ssl_ctx, ciphers))
+		error_set (e, "failed to select any cipher from the cipher list");
+	else if (!SSL_CTX_use_certificate_chain_file (ctx->ssl_ctx, cert_path))
 		error_set (e, "%s: %s", "setting the SSL client certificate failed",
 			ERR_error_string (ERR_get_error (), NULL));
 	else if (!SSL_CTX_use_PrivateKey_file