ircd::net::acceptor: Add conf::item to blacklist ciphers out of the supported cipher list.

include/ircd/net/acceptor.h

@@ -26,6 +26,7 @@ struct ircd::net::acceptor
 	static log::log log;
 	static conf::item<milliseconds> timeout;
 	static conf::item<std::string> ssl_cipher_list;
+	static conf::item<std::string> ssl_cipher_blacklist;
 
 	net::listener *listener_;
 	std::string name;

ircd/net.cc

@@ -1109,6 +1109,13 @@ ircd::net::acceptor::ssl_cipher_list
 	{ "default",  string_view{}                       },
 };
 
+decltype(ircd::net::acceptor::ssl_cipher_blacklist)
+ircd::net::acceptor::ssl_cipher_blacklist
+{
+	{ "name",     "ircd.net.acceptor.ssl.cipher.blacklist" },
+	{ "default",  string_view{}                            },
+};
+
 std::ostream &
 ircd::net::operator<<(std::ostream &s, const acceptor &a)
 {
@@ -1572,6 +1579,25 @@ ircd::net::acceptor::configure(const json::object &opts)
 		const string_view &list(ssl_cipher_list);
 		openssl::set_cipher_list(*ssl.native_handle(), list);
 	}
+	else if(!empty(string_view(ssl_cipher_blacklist)))
+	{
+		assert(ssl.native_handle());
+
+		std::stringstream res;
+		const string_view &blacklist(ssl_cipher_blacklist);
+		const auto ciphers(openssl::cipher_list(*ssl.native_handle(), 0));
+		ircd::tokens(ciphers, ':', [&res, &blacklist]
+		(const string_view &cipher)
+		{
+			if(!has(blacklist, cipher))
+				res << cipher << ':';
+		});
+
+		std::string list(res.str());
+		assert(list.empty() || list.back() == ':');
+		list.pop_back();
+		openssl::set_cipher_list(*ssl.native_handle(), list);
+	}
 
 	if(!empty(unquote(opts["ssl_curve_list"])))
 	{