diff options
| author | Rick Macklem <rmacklem@FreeBSD.org> | 2022-05-05 22:54:14 +0000 |
|---|---|---|
| committer | Rick Macklem <rmacklem@FreeBSD.org> | 2022-05-05 22:54:14 +0000 |
| commit | 712aac1389e8476ff3da98fd7ec80bf71fc601f4 (patch) | |
| tree | 378c4be2b54de5985917a77069dff590da90bac9 /usr.sbin | |
| parent | 0881eb9665dbfc8a53d9914a9dca1f0473ee1acb (diff) | |
| download | src-712aac1389e8476ff3da98fd7ec80bf71fc601f4.tar.gz src-712aac1389e8476ff3da98fd7ec80bf71fc601f4.zip | |
rpc.tlsservd: Add a -C command line option for preferred_ciphers
rpc.tlsclntd has a -C command line option for setting
preferred_ciphers. Testing at a recent IETF NFSv4 testing
event showed that setting preferred_ciphers is not normally
needed for the rpc.tlsservd.
This patch modifies rpc.tlsservd to not specify preferred_ciphers
by default, but provides the same -C option as rpc.tlsclntd to
set preferred_ciphers, in case it is needed.
The man page update will be done as a separate commit.
MFC after: 2 weeks
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 31 |
1 files changed, 20 insertions, 11 deletions
diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c index db829be68334..2726ba84fd3b 100644 --- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c +++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c @@ -104,6 +104,7 @@ static uint64_t rpctls_ssl_usec = 0; static bool rpctls_cnuser = false; static char *rpctls_dnsname; static const char *rpctls_cnuseroid = "1.3.6.1.4.1.2238.1.1.1"; +static const char *rpctls_ciphers = NULL; static void rpctlssd_terminate(int); static SSL_CTX *rpctls_setup_ssl(const char *certdir); @@ -118,6 +119,7 @@ static void rpctls_huphandler(int sig __unused); extern void rpctlssd_1(struct svc_req *rqstp, SVCXPRT *transp); static struct option longopts[] = { + { "ciphers", required_argument, NULL, 'C' }, { "certdir", required_argument, NULL, 'D' }, { "debuglevel", no_argument, NULL, 'd' }, { "checkhost", no_argument, NULL, 'h' }, @@ -178,9 +180,12 @@ main(int argc, char **argv) } rpctls_verbose = false; - while ((ch = getopt_long(argc, argv, "D:dhl:n:mp:r:uvWw", longopts, + while ((ch = getopt_long(argc, argv, "CD:dhl:n:mp:r:uvWw", longopts, NULL)) != -1) { switch (ch) { + case 'C': + rpctls_ciphers = optarg; + break; case 'D': rpctls_certdir = optarg; break; @@ -558,16 +563,20 @@ rpctls_setup_ssl(const char *certdir) } SSL_CTX_set_ecdh_auto(ctx, 1); - /* - * Set preferred ciphers, since KERN_TLS only supports a - * few of them. - */ - ret = SSL_CTX_set_cipher_list(ctx, _PREFERRED_CIPHERS); - if (ret == 0) { - rpctls_verbose_out("rpctls_setup_ssl: " - "SSL_CTX_set_cipher_list failed to set any ciphers\n"); - SSL_CTX_free(ctx); - return (NULL); + if (rpctls_ciphers != NULL) { + /* + * Set preferred ciphers, since KERN_TLS only supports a + * few of them. Normally, not doing this should be ok, + * since the library defaults will work. + */ + ret = SSL_CTX_set_cipher_list(ctx, rpctls_ciphers); + if (ret == 0) { + rpctls_verbose_out("rpctls_setup_ssl: " + "SSL_CTX_set_cipher_list failed: %s\n", + rpctls_ciphers); + SSL_CTX_free(ctx); + return (NULL); + } } /* Get the cert.pem and certkey.pem files from the directory certdir. */ |