system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-10-07 09:00:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

rpc.tlsservd: Add a -C command line option for preferred_ciphers

Browse source 
rpc.tlsclntd has a -C command line option for setting
preferred_ciphers.  Testing at a recent IETF NFSv4 testing
event showed that setting preferred_ciphers is not normally
needed for the rpc.tlsservd.

This patch modifies rpc.tlsservd to not specify preferred_ciphers
by default, but provides the same -C option as rpc.tlsclntd to
set preferred_ciphers, in case it is needed.

The man page update will be done as a separate commit.

(cherry picked from commit 712aac1389)
This commit is contained in:
Rick Macklem 2022-05-05 15:54:14 -07:00
parent 185159f77c
commit 146e1dbbf6
1 changed files with 20 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
usr.sbin/rpc.tlsservd/rpc.tlsservd.c
View file

@ -104,6 +104,7 @@ static uint64_t rpctls_ssl_usec = 0;
static bool rpctls_cnuser = false;
static char *rpctls_dnsname;
static const char *rpctls_cnuseroid = "1.3.6.1.4.1.2238.1.1.1";
static const char *rpctls_ciphers = NULL;
static void rpctlssd_terminate(int);
static SSL_CTX *rpctls_setup_ssl(const char *certdir);
@ -118,6 +119,7 @@ static void rpctls_huphandler(int sig __unused);
extern void rpctlssd_1(struct svc_req *rqstp, SVCXPRT *transp);
static struct option longopts[] = {
{ "ciphers", required_argument, NULL, 'C' },
{ "certdir", required_argument, NULL, 'D' },
{ "debuglevel", no_argument, NULL, 'd' },
{ "checkhost", no_argument, NULL, 'h' },
@ -179,9 +181,12 @@ main(int argc, char **argv)
debug = 0;
rpctls_verbose = false;
while ((ch = getopt_long(argc, argv, "D:dhl:n:mp:r:uvWw", longopts,
while ((ch = getopt_long(argc, argv, "CD:dhl:n:mp:r:uvWw", longopts,
NULL)) != -1) {
switch (ch) {
case 'C':
rpctls_ciphers = optarg;
break;
case 'D':
rpctls_certdir = optarg;
break;
@ -559,16 +564,20 @@ rpctls_setup_ssl(const char *certdir)
}
SSL_CTX_set_ecdh_auto(ctx, 1);
/*
* Set preferred ciphers, since KERN_TLS only supports a
* few of them.
*/
ret = SSL_CTX_set_cipher_list(ctx, _PREFERRED_CIPHERS);
if (ret == 0) {
rpctls_verbose_out("rpctls_setup_ssl: "
"SSL_CTX_set_cipher_list failed to set any ciphers\n");
SSL_CTX_free(ctx);
return (NULL);
if (rpctls_ciphers != NULL) {
/*
* Set preferred ciphers, since KERN_TLS only supports a
* few of them. Normally, not doing this should be ok,
* since the library defaults will work.
*/
ret = SSL_CTX_set_cipher_list(ctx, rpctls_ciphers);
if (ret == 0) {
rpctls_verbose_out("rpctls_setup_ssl: "
"SSL_CTX_set_cipher_list failed: %s\n",
rpctls_ciphers);
SSL_CTX_free(ctx);
return (NULL);
}
}
/* Get the cert.pem and certkey.pem files from the directory certdir. */