New option ssl_cipher to specify ciphers for TLSv1.2 and below

2021-02-10 19:20:37 +09:00
parent 97c7d9b410
commit c01675d342
4 changed files with 16 additions and 3 deletions
--- a/doc-jp/README.SSL
+++ b/doc-jp/README.SSL
@@ -27,6 +27,9 @@ SSL サポートについて
        使わないSSLメソッドのリスト(2: SSLv2, 3: SSLv3, t: TLSv1.0,
        5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)
        (デフォルトは2, 3).
+    ssl_ciphers
+        TLSv1.2以下用のSSL暗号(例: DEFAULT:@SECLEVEL=2) (デフォルトは
+        OpenSSL 1.1以上なら<NULL>、それ以外なら"DEFAULT:!LOW:!RC4:!EXP").
    ssl_verify_server ON/OFF
        SSLのサーバ認証を行う(デフォルトはON).
    ssl_cert_file ファイル名
--- a/fm.h
+++ b/fm.h
@@ -1191,7 +1191,12 @@ global int ssl_path_modified init(FALSE);
 				 * defined(USE_SSL_VERIFY) */
 #ifdef USE_SSL
 global char *ssl_forbid_method init("2, 3");
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+global char *ssl_cipher init("DEFAULT:!LOW:!RC4:!EXP");
+#else
+global char *ssl_cipher init(NULL);
 #endif
+#endif				/* USE_SSL */

 global int is_redisplay init(FALSE);
 global int clear_buffer init(TRUE);
--- a/rc.c
+++ b/rc.c
@@ -205,6 +205,7 @@ static int OptionEncode = FALSE;
 #define CMT_SSL_CA_FILE N_("File consisting of PEM encoded certificates of CAs")
 #endif				/* USE_SSL_VERIFY */
 #define CMT_SSL_FORBID_METHOD N_("List of forbidden SSL methods (2: SSLv2, 3: SSLv3, t: TLSv1.0, 5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)")
+#define CMT_SSL_CIPHER N_("SSL ciphers for TLSv1.2 and below (e.g. DEFAULT:@SECLEVEL=2)")
 #endif				/* USE_SSL */
 #ifdef USE_COOKIE
 #define CMT_USECOOKIE   N_("Enable cookie processing")
@@ -612,6 +613,8 @@ struct param_ptr params6[] = {
 struct param_ptr params7[] = {
    {"ssl_forbid_method", P_STRING, PI_TEXT, (void *)&ssl_forbid_method,
     CMT_SSL_FORBID_METHOD, NULL},
+    {"ssl_cipher", P_STRING, PI_TEXT, (void *)&ssl_cipher, CMT_SSL_CIPHER,
+     NULL},
 #ifdef USE_SSL_VERIFY
    {"ssl_verify_server", P_INT, PI_ONOFF, (void *)&ssl_verify_server,
     CMT_SSL_VERIFY_SERVER, NULL},
--- a/url.c
+++ b/url.c
@@ -336,9 +336,11 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
 #endif
 	if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method())))
 	    goto eend;
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
-	SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP");
-#endif
+	if (ssl_cipher && *ssl_cipher != '\0')
+	    if (!SSL_CTX_set_cipher_list(ssl_ctx, ssl_cipher)) {
+		free_ssl_ctx();
+		goto eend;
+	    }
 	option = SSL_OP_ALL;
 	if (ssl_forbid_method) {
 	    if (strchr(ssl_forbid_method, '2'))