Home Explore Help
Register Sign In
OWEALs
/
uhttpd
mirror of https://git.openwrt.org/project/uhttpd.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

tls: support specifying accepted TLS ciphers

Introduce a new `-P` option which allows specifying a colon separated list
of accepted TLS ciphers.

Depending on the underlying ustream-ssl provider, the list either follows
OpenSSL's cipher string format or, in case of mbedTLS, is a simple colon
separated cipher whitelist.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich 4 years ago
parent
2ee323c010
commit
5fc551d620
3 changed files with 17 additions and 6 deletions
Split View Show Diff Stats
  1. 9 3
      main.c
  2. 6 1
      tls.c
  3. 2 2
      tls.h

+ 9 - 3
main.c
View File 

@@ -139,6 +139,7 @@ static int usage(const char *name)
 
 		"	-s [addr:]port  Like -p but provide HTTPS on this port\n"
 
 		"	-C file         ASN.1 server certificate file\n"
 
 		"	-K file         ASN.1 server private key file\n"
 
+		"	-P ciphers      Colon separated list of allowed TLS ciphers\n"
 
 		"	-q              Redirect all HTTP requests to HTTPS\n"
 
 #endif
 
 		"	-h directory    Specify the document root, default is '.'\n"
 
@@ -249,7 +250,7 @@ int main(int argc, char **argv)
 
 	int bound = 0;
 
 #ifdef HAVE_TLS
 
 	int n_tls = 0;
 
-	const char *tls_key = NULL, *tls_crt = NULL;
 
+	const char *tls_key = NULL, *tls_crt = NULL, *tls_ciphers = NULL;
 
 #endif
 
 #ifdef HAVE_LUA
 
 	const char *lua_prefix = NULL, *lua_handler = NULL;
 
@@ -261,7 +262,7 @@ int main(int argc, char **argv)
 
 	init_defaults_pre();
 
 	signal(SIGPIPE, SIG_IGN);
 
 
-	while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
 
+	while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
 
 		switch(ch) {
 
 #ifdef HAVE_TLS
 
 		case 'C':
 
@@ -272,6 +273,10 @@ int main(int argc, char **argv)
 
 			tls_key = optarg;
 
 			break;
 
 
+		case 'P':
 
+			tls_ciphers = optarg;
 
+			break;
 
+
 
 		case 'q':
 
 			conf.tls_redirect = 1;
 
 			break;
 
@@ -282,6 +287,7 @@ int main(int argc, char **argv)
 
 #else
 
 		case 'C':
 
 		case 'K':
 
+		case 'P':
 
 		case 'q':
 
 		case 's':
 
 			fprintf(stderr, "uhttpd: TLS support not compiled, "
 
@@ -523,7 +529,7 @@ int main(int argc, char **argv)
 
 			return 1;
 
 		}
 
 
-		if (uh_tls_init(tls_key, tls_crt))
 
+		if (uh_tls_init(tls_key, tls_crt, tls_ciphers))
 
 		    return 1;
 
 	}
 
 #endif

+ 6 - 1
tls.c
View File 

@@ -31,7 +31,7 @@ static struct ustream_ssl_ops *ops;
 
 static void *dlh;
 
 static void *ctx;
 
 
-int uh_tls_init(const char *key, const char *crt)
 
+int uh_tls_init(const char *key, const char *crt, const char *ciphers)
 
 {
 
 	static bool _init = false;
 
 
@@ -63,6 +63,11 @@ int uh_tls_init(const char *key, const char *crt)
 
 		return -EINVAL;
 
 	}
 
 
+	if (ciphers && ops->context_set_ciphers(ctx, ciphers)) {
 
+		fprintf(stderr, "No recognized ciphers in cipher list\n");
 
+		return -EINVAL;
 
+	}
 
+
 
 	return 0;
 
 }

+ 2 - 2
tls.h
View File 

@@ -22,13 +22,13 @@
 
 
 #ifdef HAVE_TLS
 
 
-int uh_tls_init(const char *key, const char *crt);
 
+int uh_tls_init(const char *key, const char *crt, const char *ciphers);
 
 void uh_tls_client_attach(struct client *cl);
 
 void uh_tls_client_detach(struct client *cl);
 
 
 #else
 
 
-static inline int uh_tls_init(const char *key, const char *crt)
 
+static inline int uh_tls_init(const char *key, const char *crt, const char *ciphers)
 
 {
 
 	return -1;
 
 }