From 6cff5cc155fd1d73eaf8576c03027e55ead724c6 Mon Sep 17 00:00:00 2001
From: Art Cancro <ajc@citadel.org>
Date: Mon, 10 Jan 2022 14:54:54 -0500
Subject: [PATCH] I got a little too eager in removing old cruft from the TLS
 code.  Not setting the correct cipher list broke production in a way that
 didn't fail in development.

---
 citadel/modules/crypto/serv_crypto.c | 20 +++++++-------------
 citadel/modules/crypto/serv_crypto.h |  4 +++-
 2 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/citadel/modules/crypto/serv_crypto.c b/citadel/modules/crypto/serv_crypto.c
index 7c3ea8651..ee03fdaef 100644
--- a/citadel/modules/crypto/serv_crypto.c
+++ b/citadel/modules/crypto/serv_crypto.c
@@ -42,7 +42,7 @@
 #ifdef HAVE_OPENSSL
 
 SSL_CTX *ssl_ctx = NULL;		// This SSL context is used for all sessions.
-
+char *ssl_cipher_list = CIT_CIPHERS;
 
 // If a private key does not exist, generate one now.
 void generate_key(char *keyfilename) {
@@ -221,14 +221,16 @@ void bind_to_key_and_certificate(void) {
 		return;
 	}
 
+	if (!(SSL_CTX_set_cipher_list(new_ctx, ssl_cipher_list))) {
+		syslog(LOG_ERR, "crypto: SSL_CTX_set_cipher_list failed: %s", ERR_reason_error_string(ERR_get_error()));
+		return;
+	}
+
 	syslog(LOG_DEBUG, "crypto: using certificate chain %s", file_crpt_file_cer);
         SSL_CTX_use_certificate_chain_file(new_ctx, file_crpt_file_cer);
 
 	syslog(LOG_DEBUG, "crypto: using private key %s", file_crpt_file_key);
         SSL_CTX_use_PrivateKey_file(new_ctx, file_crpt_file_key, SSL_FILETYPE_PEM);
-        if ( !SSL_CTX_check_private_key(new_ctx) ) {
-		syslog(LOG_ERR, "crypto: cannot install certificate: %s", ERR_reason_error_string(ERR_get_error()));
-        }
 
 	old_ctx = ssl_ctx;
 	ssl_ctx = new_ctx;		// All future binds will use the new certificate
@@ -540,15 +542,7 @@ void CtdlStartTLS(char *ok_response, char *nosup_response, char *error_response)
 		// Can't notify the client of an error here; they will
 		// discover the problem at the SSL layer and should
 		// revert to unencrypted communications.
-		long errval;
-		char error_string[128];
-
-		errval = SSL_get_error(CC->ssl, retval);
-		syslog(LOG_ERR, "crypto: SSL_accept failed: retval=%d, errval=%ld, err=%s",
-			retval,
-			errval,
-			ERR_error_string(errval, error_string)
-		);
+		syslog(LOG_ERR, "crypto: SSL_accept failed: %s", ERR_reason_error_string(ERR_get_error()));
 		SSL_free(CC->ssl);
 		CC->ssl = NULL;
 		return;
diff --git a/citadel/modules/crypto/serv_crypto.h b/citadel/modules/crypto/serv_crypto.h
index f2c116157..4cef7e43b 100644
--- a/citadel/modules/crypto/serv_crypto.h
+++ b/citadel/modules/crypto/serv_crypto.h
@@ -4,7 +4,9 @@
  */
 #define SIGN_DAYS	1100	// Just over three years
 
-//#define CIT_CIPHERS	"ALL:RC4+RSA:+SSLv2:+TLSv1:!MD5:@STRENGTH"	/* see ciphers(1) */
+// Which ciphers will be offered; see https://www.openssl.org/docs/manmaster/man1/ciphers.html
+//#define CIT_CIPHERS	"ALL:RC4+RSA:+SSLv2:+TLSv1:!MD5:@STRENGTH"
+#define CIT_CIPHERS	"DEFAULT"
 
 #ifdef HAVE_OPENSSL
 #define OPENSSL_NO_KRB5		/* work around redhat b0rken ssl headers */
-- 
2.30.2