* Allow the '-S' command line option, so the cipher suites can be specified without...

diff --git a/webcit/README.txt b/webcit/README.txt
index 7e3dc243e94c7e5e3f51bf69a9f3e1e9a08d1082..4cccfea819f6688ee10d5d1cba46bb6331ba190b 100644 (file)
--- a/webcit/README.txt
+++ b/webcit/README.txt
@@ -104,12 +104,12 @@ something like this:
  Several command-line options are also available.  Here's the usage for
 the "webcit" program:
   
  Several command-line options are also available.  Here's the usage for
 the "webcit" program:
   

- webcit [-i ip_addr] [-p http_port] [-s] [-t tracefile]
+ webcit [-i ip_addr] [-p http_port] [-s] [-S cipher_suite] [-t tracefile]

            [-c] [-f] [remotehost [remoteport]]
  
    *or*
  
            [-c] [-f] [remotehost [remoteport]]
  
    *or*
  

- webcit [-i ip_addr] [-p http_port] [-s] [-t tracefile]
+ webcit [-i ip_addr] [-p http_port] [-s] [-S cipher_suite] [-t tracefile]

            [-c] [-f] uds /your/citadel/directory
  
  Explained: 
            [-c] [-f] uds /your/citadel/directory
  
  Explained: 


@@ -142,6 +142,10 @@ the "webcit" program:
      service.  If you want to do both HTTP and HTTPS, you can simply run two
      instances of WebCit on two different ports.
 
      service.  If you want to do both HTTP and HTTPS, you can simply run two
      instances of WebCit on two different ports.
 

+  -> The "-S" option also enables HTTPS, but must be followed by a list of
+     cipher suites you wish to enable.  Please see http://openssl.org/docs/apps/ciphers.html
+     for a list of cipher strings.
+

   -> The "-f" option tells WebCit that it is allowed to follow the
      "X-Forwarded-For:" HTTP headers which may be added if your WebCit service
      is sitting behind a front end proxy.  This will allow users in your "Who
   -> The "-f" option tells WebCit that it is allowed to follow the
      "X-Forwarded-For:" HTTP headers which may be added if your WebCit service
      is sitting behind a front end proxy.  This will allow users in your "Who

diff --git a/webcit/crypto.c b/webcit/crypto.c
index 0545b7260fa31c2217f074352c3d9ac7ebec30d4..344dc6a5a83c41999b8ab840ab74cb93408638da 100644 (file)
--- a/webcit/crypto.c
+++ b/webcit/crypto.c
@@ -14,10 +14,10 @@
 #define CTDL_CSR_PATH          file_crpt_file_csr
 #define CTDL_CER_PATH          file_crpt_file_cer
 #define SIGN_DAYS              3650                    /* how long our certificate should live */
 #define CTDL_CSR_PATH          file_crpt_file_csr
 #define CTDL_CER_PATH          file_crpt_file_cer
 #define SIGN_DAYS              3650                    /* how long our certificate should live */

-#define WEBCIT_CIPHER_LIST     "DEFAULT"               /* See http://openssl.org/docs/apps/ciphers.html */

 
 SSL_CTX *ssl_ctx;              /* SSL context */
 pthread_mutex_t **SSLCritters; /* Things needing locking */
 
 SSL_CTX *ssl_ctx;              /* SSL context */
 pthread_mutex_t **SSLCritters; /* Things needing locking */

+char *ssl_cipher_list = DEFAULT_SSL_CIPHER_LIST;

 
 pthread_key_t ThreadSSL;       /* Per-thread SSL context */
 
 
 pthread_key_t ThreadSSL;       /* Per-thread SSL context */
 


@@ -96,12 +96,12 @@ void init_ssl(void)
                return;
        }
 
                return;
        }
 

-       if (!(SSL_CTX_set_cipher_list(ssl_ctx, WEBCIT_CIPHER_LIST))) {
+       lprintf(9, "Requesting cipher list: %s\n", ssl_cipher_list);
+       if (!(SSL_CTX_set_cipher_list(ssl_ctx, ssl_cipher_list))) {

                lprintf(3, "SSL_CTX_set_cipher_list failed: %s\n", ERR_reason_error_string(ERR_get_error()));
                return;
        }
 
                lprintf(3, "SSL_CTX_set_cipher_list failed: %s\n", ERR_reason_error_string(ERR_get_error()));
                return;
        }
 

-

        CRYPTO_set_locking_callback(ssl_lock);
        CRYPTO_set_id_callback(id_callback);
 
        CRYPTO_set_locking_callback(ssl_lock);
        CRYPTO_set_id_callback(id_callback);
 

diff --git a/webcit/webcit.h b/webcit/webcit.h
index 4142cf15fa8fb876752ffb781deb4a0dcdbc13e5..0c876429e6b86b3999334626341aa7dc57dbaef4 100644 (file)
--- a/webcit/webcit.h
+++ b/webcit/webcit.h
@@ -97,8 +97,11 @@
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>

+extern char *ssl_cipher_list;
+#define        DEFAULT_SSL_CIPHER_LIST "DEFAULT"       /* See http://openssl.org/docs/apps/ciphers.html */

 #endif
 
 #endif
 

+

 #define CALENDAR_ROOM_NAME     "Calendar"
 #define PRODID "-//Citadel//NONSGML Citadel Calendar//EN"
 
 #define CALENDAR_ROOM_NAME     "Calendar"
 #define PRODID "-//Citadel//NONSGML Citadel Calendar//EN"
 

diff --git a/webcit/webserver.c b/webcit/webserver.c
index 81f4ac8379c6b6b10a97ff41d08d3f7111987db1..064031ff36a9805d78f880ed888423287551e514 100644 (file)
--- a/webcit/webserver.c
+++ b/webcit/webserver.c
@@ -354,7 +354,7 @@ int main(int argc, char **argv)
 
        /* Parse command line */
 #ifdef HAVE_OPENSSL
 
        /* Parse command line */
 #ifdef HAVE_OPENSSL

-       while ((a = getopt(argc, argv, "h:i:p:t:T:B:x:dD:G:cfsZ")) != EOF)
+       while ((a = getopt(argc, argv, "h:i:p:t:T:B:x:dD:G:cfsS:Z")) != EOF)

 #else
        while ((a = getopt(argc, argv, "h:i:p:t:T:B:x:dD:G:cfZ")) != EOF)
 #endif
 #else
        while ((a = getopt(argc, argv, "h:i:p:t:T:B:x:dD:G:cfZ")) != EOF)
 #endif


@@ -362,11 +362,12 @@ int main(int argc, char **argv)
                case 'h':
                        hdir = strdup(optarg);
                        relh=hdir[0]!='/';
                case 'h':
                        hdir = strdup(optarg);
                        relh=hdir[0]!='/';

-                       if (!relh) safestrncpy(webcitdir, hdir,
-                                                                  sizeof webcitdir);
-                       else
-                               safestrncpy(relhome, relhome,
-                                                       sizeof relhome);
+                       if (!relh) {
+                               safestrncpy(webcitdir, hdir, sizeof webcitdir);
+                       }
+                       else {
+                               safestrncpy(relhome, relhome, sizeof relhome);
+                       }

                        /* free(hdir); TODO: SHOULD WE DO THIS? */
                        home_specified = 1;
                        home=1;
                        /* free(hdir); TODO: SHOULD WE DO THIS? */
                        home_specified = 1;
                        home=1;


@@ -427,9 +428,15 @@ int main(int argc, char **argv)
                                }
                        }
                        break;
                                }
                        }
                        break;

+#ifdef HAVE_OPENSSL

                case 's':
                        is_https = 1;
                        break;
                case 's':
                        is_https = 1;
                        break;

+               case 'S':
+                       is_https = 1;
+                       ssl_cipher_list = strdup(optarg);
+                       break;
+#endif

                case 'G':
                        DumpTemplateI18NStrings = 1;
                        I18nDump = NewStrBufPlain(HKEY("int templatestrings(void)\n{\n"));
                case 'G':
                        DumpTemplateI18NStrings = 1;
                        I18nDump = NewStrBufPlain(HKEY("int templatestrings(void)\n{\n"));


@@ -442,7 +449,7 @@ int main(int argc, char **argv)
                                "[-T Templatedebuglevel] "
                                "[-d] [-Z] [-G i18ndumpfile] "
 #ifdef HAVE_OPENSSL
                                "[-T Templatedebuglevel] "
                                "[-d] [-Z] [-G i18ndumpfile] "
 #ifdef HAVE_OPENSSL

-                               "[-s] "
+                               "[-s] [-S cipher_suites]"

 #endif
                                "[remotehost [remoteport]]\n");
                        return 1;
 #endif
                                "[remotehost [remoteport]]\n");
                        return 1;