Commit cbca2e35 authored by Tatsuhiro Tsujikawa's avatar Tatsuhiro Tsujikawa

nghttpx: Show default cipher list in -h

parent fc9bdf02
......@@ -1354,6 +1354,9 @@ void fill_default_config(Config *config) {
}
tlsconf.session_timeout = std::chrono::hours(12);
tlsconf.ciphers = StringRef::from_lit(nghttp2::ssl::DEFAULT_CIPHER_LIST);
tlsconf.client.ciphers =
StringRef::from_lit(nghttp2::ssl::DEFAULT_CIPHER_LIST);
#if OPENSSL_1_1_API
tlsconf.ecdh_curves = StringRef::from_lit("X25519:P-256:P-384:P-521");
#else // !OPENSSL_1_1_API
......@@ -1898,9 +1901,13 @@ SSL/TLS:
--ciphers=<SUITE>
Set allowed cipher list for frontend connection. The
format of the string is described in OpenSSL ciphers(1).
Default: )"
<< config->tls.ciphers << R"(
--client-ciphers=<SUITE>
Set allowed cipher list for backend connection. The
format of the string is described in OpenSSL ciphers(1).
Default: )"
<< config->tls.client.ciphers << R"(
--ecdh-curves=<LIST>
Set supported curve list for frontend connections.
<LIST> is a colon separated list of curve NID or names
......
......@@ -645,15 +645,8 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
SSL_CTX_set_timeout(ssl_ctx, tlsconf.session_timeout.count());
const char *ciphers;
if (!tlsconf.ciphers.empty()) {
ciphers = tlsconf.ciphers.c_str();
} else {
ciphers = nghttp2::ssl::DEFAULT_CIPHER_LIST;
}
if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) == 0) {
LOG(FATAL) << "SSL_CTX_set_cipher_list " << ciphers
if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.ciphers.c_str()) == 0) {
LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
......@@ -873,14 +866,8 @@ SSL_CTX *create_ssl_client_context(
SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
const char *ciphers;
if (!tlsconf.client.ciphers.empty()) {
ciphers = tlsconf.client.ciphers.c_str();
} else {
ciphers = nghttp2::ssl::DEFAULT_CIPHER_LIST;
}
if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) == 0) {
LOG(FATAL) << "SSL_CTX_set_cipher_list " << ciphers
if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.client.ciphers.c_str()) == 0) {
LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.client.ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment