Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 3 Jun 2022 02:10:36 GMT
From:      Rick Macklem <rmacklem@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 146e1dbbf6b9 - stable/13 - rpc.tlsservd: Add a -C command line option for preferred_ciphers
Message-ID:  <202206030210.2532Aa7w028847@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=146e1dbbf6b9634a5cd06e1b5ff81d417627fcae

commit 146e1dbbf6b9634a5cd06e1b5ff81d417627fcae
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2022-05-05 22:54:14 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2022-06-03 02:09:41 +0000

    rpc.tlsservd: Add a -C command line option for preferred_ciphers
    
    rpc.tlsclntd has a -C command line option for setting
    preferred_ciphers.  Testing at a recent IETF NFSv4 testing
    event showed that setting preferred_ciphers is not normally
    needed for the rpc.tlsservd.
    
    This patch modifies rpc.tlsservd to not specify preferred_ciphers
    by default, but provides the same -C option as rpc.tlsclntd to
    set preferred_ciphers, in case it is needed.
    
    The man page update will be done as a separate commit.
    
    (cherry picked from commit 712aac1389e8476ff3da98fd7ec80bf71fc601f4)
---
 usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 31 ++++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
index 16dd3e9c2d8b..2e27a112b6e2 100644
--- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
+++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
@@ -104,6 +104,7 @@ static uint64_t		rpctls_ssl_usec = 0;
 static bool		rpctls_cnuser = false;
 static char		*rpctls_dnsname;
 static const char	*rpctls_cnuseroid = "1.3.6.1.4.1.2238.1.1.1";
+static const char	*rpctls_ciphers = NULL;
 
 static void		rpctlssd_terminate(int);
 static SSL_CTX		*rpctls_setup_ssl(const char *certdir);
@@ -118,6 +119,7 @@ static void		rpctls_huphandler(int sig __unused);
 extern void		rpctlssd_1(struct svc_req *rqstp, SVCXPRT *transp);
 
 static struct option longopts[] = {
+	{ "ciphers",		required_argument,	NULL,	'C' },
 	{ "certdir",		required_argument,	NULL,	'D' },
 	{ "debuglevel",		no_argument,		NULL,	'd' },
 	{ "checkhost",		no_argument,		NULL,	'h' },
@@ -179,9 +181,12 @@ main(int argc, char **argv)
 
 	debug = 0;
 	rpctls_verbose = false;
-	while ((ch = getopt_long(argc, argv, "D:dhl:n:mp:r:uvWw", longopts,
+	while ((ch = getopt_long(argc, argv, "CD:dhl:n:mp:r:uvWw", longopts,
 	    NULL)) != -1) {
 		switch (ch) {
+		case 'C':
+			rpctls_ciphers = optarg;
+			break;
 		case 'D':
 			rpctls_certdir = optarg;
 			break;
@@ -559,16 +564,20 @@ rpctls_setup_ssl(const char *certdir)
 	}
 	SSL_CTX_set_ecdh_auto(ctx, 1);
 
-	/*
-	 * Set preferred ciphers, since KERN_TLS only supports a
-	 * few of them.
-	 */
-	ret = SSL_CTX_set_cipher_list(ctx, _PREFERRED_CIPHERS);
-	if (ret == 0) {
-		rpctls_verbose_out("rpctls_setup_ssl: "
-		    "SSL_CTX_set_cipher_list failed to set any ciphers\n");
-		SSL_CTX_free(ctx);
-		return (NULL);
+	if (rpctls_ciphers != NULL) {
+		/*
+		 * Set preferred ciphers, since KERN_TLS only supports a
+		 * few of them.  Normally, not doing this should be ok,
+		 * since the library defaults will work.
+		 */
+		ret = SSL_CTX_set_cipher_list(ctx, rpctls_ciphers);
+		if (ret == 0) {
+			rpctls_verbose_out("rpctls_setup_ssl: "
+			    "SSL_CTX_set_cipher_list failed: %s\n",
+			    rpctls_ciphers);
+			SSL_CTX_free(ctx);
+			return (NULL);
+		}
 	}
 
 	/* Get the cert.pem and certkey.pem files from the directory certdir. */



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202206030210.2532Aa7w028847>