tls: support specifying accepted TLS ciphers

Introduce a new `-P` option which allows specifying a colon separated list of accepted TLS ciphers. Depending on the underlying ustream-ssl provider, the list either follows OpenSSL's cipher string format or, in case of mbedTLS, is a simple colon separated cipher whitelist. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich <jo@mein.io> 2020-02-15 21:35:40 +0100
committer: Jo-Philipp Wich <jo@mein.io> 2020-02-15 23:47:00 +0100
commit: 5fc551d620bb353dbac68fe4d23da12784575118 (patch)
tree: 3809453943aa538ed987faebc4f728ab201b6c62 /tls.c
parent: 2ee323c01079248baa9465969df9e25b5fb68cdf (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/tls.c b/tls.c
index d969b82..1da0881 100644
--- a/tls.c
+++ b/tls.c
@@ -31,7 +31,7 @@ static struct ustream_ssl_ops *ops;
 static void *dlh;
 static void *ctx;
 
-int uh_tls_init(const char *key, const char *crt)
+int uh_tls_init(const char *key, const char *crt, const char *ciphers)
 {
 	static bool _init = false;
 
@@ -63,6 +63,11 @@ int uh_tls_init(const char *key, const char *crt)
 		return -EINVAL;
 	}
 
+	if (ciphers && ops->context_set_ciphers(ctx, ciphers)) {
+		fprintf(stderr, "No recognized ciphers in cipher list\n");
+		return -EINVAL;
+	}
+
 	return 0;
 }
author	Jo-Philipp Wich <jo@mein.io>	2020-02-15 21:35:40 +0100
committer	Jo-Philipp Wich <jo@mein.io>	2020-02-15 23:47:00 +0100
commit	5fc551d620bb353dbac68fe4d23da12784575118 (patch)
tree	3809453943aa538ed987faebc4f728ab201b6c62 /tls.c
parent	2ee323c01079248baa9465969df9e25b5fb68cdf (diff)