Several command-line options are also available. Here's the usage for
the "webcit" program:
- webcit [-i ip_addr] [-p http_port] [-s] [-t tracefile]
+ webcit [-i ip_addr] [-p http_port] [-s] [-S cipher_suite] [-t tracefile]
[-c] [-f] [remotehost [remoteport]]
*or*
- webcit [-i ip_addr] [-p http_port] [-s] [-t tracefile]
+ webcit [-i ip_addr] [-p http_port] [-s] [-S cipher_suite] [-t tracefile]
[-c] [-f] uds /your/citadel/directory
Explained:
service. If you want to do both HTTP and HTTPS, you can simply run two
instances of WebCit on two different ports.
+ -> The "-S" option also enables HTTPS, but must be followed by a list of
+ cipher suites you wish to enable. Please see http://openssl.org/docs/apps/ciphers.html
+ for a list of cipher strings.
+
-> The "-f" option tells WebCit that it is allowed to follow the
"X-Forwarded-For:" HTTP headers which may be added if your WebCit service
is sitting behind a front end proxy. This will allow users in your "Who
#define CTDL_CSR_PATH file_crpt_file_csr
#define CTDL_CER_PATH file_crpt_file_cer
#define SIGN_DAYS 3650 /* how long our certificate should live */
-#define WEBCIT_CIPHER_LIST "DEFAULT" /* See http://openssl.org/docs/apps/ciphers.html */
SSL_CTX *ssl_ctx; /* SSL context */
pthread_mutex_t **SSLCritters; /* Things needing locking */
+char *ssl_cipher_list = DEFAULT_SSL_CIPHER_LIST;
pthread_key_t ThreadSSL; /* Per-thread SSL context */
return;
}
- if (!(SSL_CTX_set_cipher_list(ssl_ctx, WEBCIT_CIPHER_LIST))) {
+ lprintf(9, "Requesting cipher list: %s\n", ssl_cipher_list);
+ if (!(SSL_CTX_set_cipher_list(ssl_ctx, ssl_cipher_list))) {
lprintf(3, "SSL_CTX_set_cipher_list failed: %s\n", ERR_reason_error_string(ERR_get_error()));
return;
}
-
CRYPTO_set_locking_callback(ssl_lock);
CRYPTO_set_id_callback(id_callback);
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/rand.h>
+extern char *ssl_cipher_list;
+#define DEFAULT_SSL_CIPHER_LIST "DEFAULT" /* See http://openssl.org/docs/apps/ciphers.html */
#endif
+
#define CALENDAR_ROOM_NAME "Calendar"
#define PRODID "-//Citadel//NONSGML Citadel Calendar//EN"
/* Parse command line */
#ifdef HAVE_OPENSSL
- while ((a = getopt(argc, argv, "h:i:p:t:T:B:x:dD:G:cfsZ")) != EOF)
+ while ((a = getopt(argc, argv, "h:i:p:t:T:B:x:dD:G:cfsS:Z")) != EOF)
#else
while ((a = getopt(argc, argv, "h:i:p:t:T:B:x:dD:G:cfZ")) != EOF)
#endif
case 'h':
hdir = strdup(optarg);
relh=hdir[0]!='/';
- if (!relh) safestrncpy(webcitdir, hdir,
- sizeof webcitdir);
- else
- safestrncpy(relhome, relhome,
- sizeof relhome);
+ if (!relh) {
+ safestrncpy(webcitdir, hdir, sizeof webcitdir);
+ }
+ else {
+ safestrncpy(relhome, relhome, sizeof relhome);
+ }
/* free(hdir); TODO: SHOULD WE DO THIS? */
home_specified = 1;
home=1;
}
}
break;
+#ifdef HAVE_OPENSSL
case 's':
is_https = 1;
break;
+ case 'S':
+ is_https = 1;
+ ssl_cipher_list = strdup(optarg);
+ break;
+#endif
case 'G':
DumpTemplateI18NStrings = 1;
I18nDump = NewStrBufPlain(HKEY("int templatestrings(void)\n{\n"));
"[-T Templatedebuglevel] "
"[-d] [-Z] [-G i18ndumpfile] "
#ifdef HAVE_OPENSSL
- "[-s] "
+ "[-s] [-S cipher_suites]"
#endif
"[remotehost [remoteport]]\n");
return 1;