Skip to content

N
nghttp2
Commit cbca2e35 authored by Tatsuhiro Tsujikawa's avatar Tatsuhiro Tsujikawa
Browse files
Options

nghttpx: Show default cipher list in -h

parent fc9bdf02
Hide whitespace changes
Inline Side-by-side
Showing with 11 additions and 17 deletions
src/shrpx.cc
View file @ cbca2e35
...@@ -1354,6 +1354,9 @@ void fill_default_config(Config *config) { ...@@ -1354,6 +1354,9 @@ void fill_default_config(Config *config) {
} }
tlsconf.session_timeout = std::chrono::hours(12); tlsconf.session_timeout = std::chrono::hours(12);
tlsconf.ciphers = StringRef::from_lit(nghttp2::ssl::DEFAULT_CIPHER_LIST);
tlsconf.client.ciphers =
StringRef::from_lit(nghttp2::ssl::DEFAULT_CIPHER_LIST);
#if OPENSSL_1_1_API #if OPENSSL_1_1_API
tlsconf.ecdh_curves = StringRef::from_lit("X25519:P-256:P-384:P-521"); tlsconf.ecdh_curves = StringRef::from_lit("X25519:P-256:P-384:P-521");
#else // !OPENSSL_1_1_API #else // !OPENSSL_1_1_API
...@@ -1898,9 +1901,13 @@ SSL/TLS: ...@@ -1898,9 +1901,13 @@ SSL/TLS:
--ciphers=<SUITE> --ciphers=<SUITE>
Set allowed cipher list for frontend connection. The Set allowed cipher list for frontend connection. The
format of the string is described in OpenSSL ciphers(1). format of the string is described in OpenSSL ciphers(1).
Default: )"
<< config->tls.ciphers << R"(
--client-ciphers=<SUITE> --client-ciphers=<SUITE>
Set allowed cipher list for backend connection. The Set allowed cipher list for backend connection. The
format of the string is described in OpenSSL ciphers(1). format of the string is described in OpenSSL ciphers(1).
Default: )"
<< config->tls.client.ciphers << R"(
--ecdh-curves=<LIST> --ecdh-curves=<LIST>
Set supported curve list for frontend connections. Set supported curve list for frontend connections.
<LIST> is a colon separated list of curve NID or names <LIST> is a colon separated list of curve NID or names
......
src/shrpx_ssl.cc
View file @ cbca2e35
...@@ -645,15 +645,8 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file, ...@@ -645,15 +645,8 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
SSL_CTX_set_timeout(ssl_ctx, tlsconf.session_timeout.count()); SSL_CTX_set_timeout(ssl_ctx, tlsconf.session_timeout.count());
const char *ciphers; if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.ciphers.c_str()) == 0) {
if (!tlsconf.ciphers.empty()) { LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.ciphers
ciphers = tlsconf.ciphers.c_str();
} else {
ciphers = nghttp2::ssl::DEFAULT_CIPHER_LIST;
}
if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) == 0) {
LOG(FATAL) << "SSL_CTX_set_cipher_list " << ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr); << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
DIE(); DIE();
} }
...@@ -873,14 +866,8 @@ SSL_CTX *create_ssl_client_context( ...@@ -873,14 +866,8 @@ SSL_CTX *create_ssl_client_context(
SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask); SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
const char *ciphers; if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.client.ciphers.c_str()) == 0) {
if (!tlsconf.client.ciphers.empty()) { LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.client.ciphers
ciphers = tlsconf.client.ciphers.c_str();
} else {
ciphers = nghttp2::ssl::DEFAULT_CIPHER_LIST;
}
if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) == 0) {
LOG(FATAL) << "SSL_CTX_set_cipher_list " << ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr); << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
DIE(); DIE();
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment