From 721039f3593237f5faa1067bf0536319ab91b7f4 Mon Sep 17 00:00:00 2001 From: Jason Volk Date: Tue, 12 Mar 2019 17:47:57 -0700 Subject: [PATCH] ircd::net::acceptor: Add conf::item to blacklist ciphers out of the supported cipher list. --- include/ircd/net/acceptor.h | 1 + ircd/net.cc | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/include/ircd/net/acceptor.h b/include/ircd/net/acceptor.h index b28bd2a70..557306269 100644 --- a/include/ircd/net/acceptor.h +++ b/include/ircd/net/acceptor.h @@ -26,6 +26,7 @@ struct ircd::net::acceptor static log::log log; static conf::item timeout; static conf::item ssl_cipher_list; + static conf::item ssl_cipher_blacklist; net::listener *listener_; std::string name; diff --git a/ircd/net.cc b/ircd/net.cc index 32919e903..9f55db957 100644 --- a/ircd/net.cc +++ b/ircd/net.cc @@ -1109,6 +1109,13 @@ ircd::net::acceptor::ssl_cipher_list { "default", string_view{} }, }; +decltype(ircd::net::acceptor::ssl_cipher_blacklist) +ircd::net::acceptor::ssl_cipher_blacklist +{ + { "name", "ircd.net.acceptor.ssl.cipher.blacklist" }, + { "default", string_view{} }, +}; + std::ostream & ircd::net::operator<<(std::ostream &s, const acceptor &a) { @@ -1572,6 +1579,25 @@ ircd::net::acceptor::configure(const json::object &opts) const string_view &list(ssl_cipher_list); openssl::set_cipher_list(*ssl.native_handle(), list); } + else if(!empty(string_view(ssl_cipher_blacklist))) + { + assert(ssl.native_handle()); + + std::stringstream res; + const string_view &blacklist(ssl_cipher_blacklist); + const auto ciphers(openssl::cipher_list(*ssl.native_handle(), 0)); + ircd::tokens(ciphers, ':', [&res, &blacklist] + (const string_view &cipher) + { + if(!has(blacklist, cipher)) + res << cipher << ':'; + }); + + std::string list(res.str()); + assert(list.empty() || list.back() == ':'); + list.pop_back(); + openssl::set_cipher_list(*ssl.native_handle(), list); + } if(!empty(unquote(opts["ssl_curve_list"]))) {