From 22c01fa65b42abcb91f8d6dfd976c04bdf811815 Mon Sep 17 00:00:00 2001 From: Art Cancro Date: Wed, 23 Sep 2009 21:22:30 +0000 Subject: [PATCH] * Allow the '-S' command line option, so the cipher suites can be specified without recompiling. --- webcit/README.txt | 8 ++++++-- webcit/crypto.c | 6 +++--- webcit/webcit.h | 3 +++ webcit/webserver.c | 21 ++++++++++++++------- 4 files changed, 26 insertions(+), 12 deletions(-) diff --git a/webcit/README.txt b/webcit/README.txt index 7e3dc243e..4cccfea81 100644 --- a/webcit/README.txt +++ b/webcit/README.txt @@ -104,12 +104,12 @@ something like this: Several command-line options are also available. Here's the usage for the "webcit" program: - webcit [-i ip_addr] [-p http_port] [-s] [-t tracefile] + webcit [-i ip_addr] [-p http_port] [-s] [-S cipher_suite] [-t tracefile] [-c] [-f] [remotehost [remoteport]] *or* - webcit [-i ip_addr] [-p http_port] [-s] [-t tracefile] + webcit [-i ip_addr] [-p http_port] [-s] [-S cipher_suite] [-t tracefile] [-c] [-f] uds /your/citadel/directory Explained: @@ -142,6 +142,10 @@ the "webcit" program: service. If you want to do both HTTP and HTTPS, you can simply run two instances of WebCit on two different ports. + -> The "-S" option also enables HTTPS, but must be followed by a list of + cipher suites you wish to enable. Please see http://openssl.org/docs/apps/ciphers.html + for a list of cipher strings. + -> The "-f" option tells WebCit that it is allowed to follow the "X-Forwarded-For:" HTTP headers which may be added if your WebCit service is sitting behind a front end proxy. This will allow users in your "Who diff --git a/webcit/crypto.c b/webcit/crypto.c index 0545b7260..344dc6a5a 100644 --- a/webcit/crypto.c +++ b/webcit/crypto.c @@ -14,10 +14,10 @@ #define CTDL_CSR_PATH file_crpt_file_csr #define CTDL_CER_PATH file_crpt_file_cer #define SIGN_DAYS 3650 /* how long our certificate should live */ -#define WEBCIT_CIPHER_LIST "DEFAULT" /* See http://openssl.org/docs/apps/ciphers.html */ SSL_CTX *ssl_ctx; /* SSL context */ pthread_mutex_t **SSLCritters; /* Things needing locking */ +char *ssl_cipher_list = DEFAULT_SSL_CIPHER_LIST; pthread_key_t ThreadSSL; /* Per-thread SSL context */ @@ -96,12 +96,12 @@ void init_ssl(void) return; } - if (!(SSL_CTX_set_cipher_list(ssl_ctx, WEBCIT_CIPHER_LIST))) { + lprintf(9, "Requesting cipher list: %s\n", ssl_cipher_list); + if (!(SSL_CTX_set_cipher_list(ssl_ctx, ssl_cipher_list))) { lprintf(3, "SSL_CTX_set_cipher_list failed: %s\n", ERR_reason_error_string(ERR_get_error())); return; } - CRYPTO_set_locking_callback(ssl_lock); CRYPTO_set_id_callback(id_callback); diff --git a/webcit/webcit.h b/webcit/webcit.h index 4142cf15f..0c876429e 100644 --- a/webcit/webcit.h +++ b/webcit/webcit.h @@ -97,8 +97,11 @@ #include #include #include +extern char *ssl_cipher_list; +#define DEFAULT_SSL_CIPHER_LIST "DEFAULT" /* See http://openssl.org/docs/apps/ciphers.html */ #endif + #define CALENDAR_ROOM_NAME "Calendar" #define PRODID "-//Citadel//NONSGML Citadel Calendar//EN" diff --git a/webcit/webserver.c b/webcit/webserver.c index 81f4ac837..064031ff3 100644 --- a/webcit/webserver.c +++ b/webcit/webserver.c @@ -354,7 +354,7 @@ int main(int argc, char **argv) /* Parse command line */ #ifdef HAVE_OPENSSL - while ((a = getopt(argc, argv, "h:i:p:t:T:B:x:dD:G:cfsZ")) != EOF) + while ((a = getopt(argc, argv, "h:i:p:t:T:B:x:dD:G:cfsS:Z")) != EOF) #else while ((a = getopt(argc, argv, "h:i:p:t:T:B:x:dD:G:cfZ")) != EOF) #endif @@ -362,11 +362,12 @@ int main(int argc, char **argv) case 'h': hdir = strdup(optarg); relh=hdir[0]!='/'; - if (!relh) safestrncpy(webcitdir, hdir, - sizeof webcitdir); - else - safestrncpy(relhome, relhome, - sizeof relhome); + if (!relh) { + safestrncpy(webcitdir, hdir, sizeof webcitdir); + } + else { + safestrncpy(relhome, relhome, sizeof relhome); + } /* free(hdir); TODO: SHOULD WE DO THIS? */ home_specified = 1; home=1; @@ -427,9 +428,15 @@ int main(int argc, char **argv) } } break; +#ifdef HAVE_OPENSSL case 's': is_https = 1; break; + case 'S': + is_https = 1; + ssl_cipher_list = strdup(optarg); + break; +#endif case 'G': DumpTemplateI18NStrings = 1; I18nDump = NewStrBufPlain(HKEY("int templatestrings(void)\n{\n")); @@ -442,7 +449,7 @@ int main(int argc, char **argv) "[-T Templatedebuglevel] " "[-d] [-Z] [-G i18ndumpfile] " #ifdef HAVE_OPENSSL - "[-s] " + "[-s] [-S cipher_suites]" #endif "[remotehost [remoteport]]\n"); return 1; -- 2.30.2