[Sblim-commit] Git: sfcb - Small Footprint CIM Broker branch, master, updated. SFCB_1_4_0-506-g5ffd5df

[Dave H. <hel...@us...>]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "sfcb - Small Footprint CIM Broker".

The branch, master has been updated
       via  5ffd5df6a61d3553718580004d130aae7deb9799 (commit)
      from  1f5ff60b4091c88868b0af39a980968d47784429 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 5ffd5df6a61d3553718580004d130aae7deb9799
Author: Dave Heller <hel...@us...>
Date:   Tue Feb 11 10:40:00 2014 -0500

    [sfcb-tix:#99] Add config property enableSslCipherServerPref

-----------------------------------------------------------------------

Summary of changes:
 control.c       |    1 +
 httpAdapter.c   |   16 ++++++++++++----
 sfcb.cfg.pre.in |    6 ++++++
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/control.c b/control.c
index 1f789ff..833e3bb 100644
--- a/control.c
+++ b/control.c
@@ -169,6 +169,7 @@ static Control init[] = {
   {"sslCiphers", CTL_STRING, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH", {0}},
   {"sslDhParamsFilePath", CTL_STRING, NULL, {0}},
   {"sslEcDhCurveName", CTL_STRING, "secp224r1", {0}},
+  {"enableSslCipherServerPref", CTL_BOOL, NULL, {.b=0}},
 
   {"registrationDir", CTL_STRING, SFCB_STATEDIR "/registration", {0}},
   {"providerDirs", CTL_USTRING, SFCB_LIBDIR " " CMPI_LIBDIR " " LIBDIR, {0}},
diff --git a/httpAdapter.c b/httpAdapter.c
index f374c08..df6e596 100644
--- a/httpAdapter.c
+++ b/httpAdapter.c
@@ -2037,7 +2037,8 @@ initSSL()
                  *fcert,
                  *fdhp,
                  *sslCiphers;
-  int             rc;
+  int             rc,
+                  escsp;
 
   if (ctx)
     SSL_CTX_free(ctx);
@@ -2083,10 +2084,17 @@ initSSL()
   }
 
   /*
-   * SSLv2 is pretty old; no one should be needing it any more 
+   * Set options
    */
-  SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 |
-                      SSL_OP_SINGLE_DH_USE);
+  SSL_CTX_set_options(ctx, SSL_OP_ALL | 
+                           SSL_OP_NO_SSLv2 |
+                           SSL_OP_SINGLE_DH_USE);
+
+  if (!getControlBool("enableSslCipherServerPref", &escsp) && escsp) {
+    _SFCB_TRACE(1, ("---  enableSslCipherServerPref = true"));
+    SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+  }
+
   /*
    * Set valid ciphers
    */
diff --git a/sfcb.cfg.pre.in b/sfcb.cfg.pre.in
index d575a7e..ef158eb 100644
--- a/sfcb.cfg.pre.in
+++ b/sfcb.cfg.pre.in
@@ -291,6 +291,12 @@ sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
 ## Default is secp224r1
 #sslEcDhCurveName: secp224r1
 
+## When set to true, sets the SSL_OP_CIPHER_SERVER_PREFERENCE flag for the ssl
+## context, to enforce server's preference instead of the client preference for
+## selection of cipher suite. See man SSL_CTX_set_options(3) for details.
+## Default is false
+#enableSslCipherServerPref: false
+
 ##---------------------------------- UDS --------------------------------------
 ## These options only apply if configured with --enable-uds
 


hooks/post-receive
-- 
sfcb - Small Footprint CIM Broker