This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "sfcb - Small Footprint CIM Broker".
The branch, master_1.3 has been updated
via fab104b9b6b2aeeac5d8a0bdf0179f9aa6857493 (commit)
from a85824d2959084180b1086d4039124b15ed393c9 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit fab104b9b6b2aeeac5d8a0bdf0179f9aa6857493
Author: Dave Heller <hel...@us...>
Date: Tue Feb 11 01:49:15 2014 -0500
[sfcb-tix:#99] Add config property enableSslCipherServerPref
-----------------------------------------------------------------------
Summary of changes:
control.c | 1 +
httpAdapter.c | 16 ++++++++++++----
sfcb.cfg.pre.in | 6 ++++++
3 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/control.c b/control.c
index d7d833a..830ff57 100644
--- a/control.c
+++ b/control.c
@@ -111,6 +111,7 @@ static Control init[] = {
{"sslCiphers", 0, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"},
{"sslDhParamsFilePath", 0, NULL},
{"sslEcDhCurveName", 0, "secp224r1"},
+ {"enableSslCipherServerPref", 2, "false"},
{"registrationDir", 0, SFCB_STATEDIR "/registration"},
{"providerDirs", 3, SFCB_LIBDIR " " CMPI_LIBDIR " " LIBDIR}, /* 3: unstripped */
diff --git a/httpAdapter.c b/httpAdapter.c
index 5c02237..2d1569e 100644
--- a/httpAdapter.c
+++ b/httpAdapter.c
@@ -1702,7 +1702,8 @@ initSSL()
*fnl,
*fdhp,
*sslCiphers;
- int rc;
+ int rc,
+ escsp;
if (ctx)
SSL_CTX_free(ctx);
@@ -1746,10 +1747,17 @@ initSSL()
}
/*
- * SSLv2 is pretty old; no one should be needing it any more
+ * Set options
*/
- SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 |
- SSL_OP_SINGLE_DH_USE);
+ SSL_CTX_set_options(ctx, SSL_OP_ALL |
+ SSL_OP_NO_SSLv2 |
+ SSL_OP_SINGLE_DH_USE);
+
+ if (!getControlBool("enableSslCipherServerPref", &escsp) && escsp) {
+ _SFCB_TRACE(1, ("--- enableSslCipherServerPref = true"));
+ SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
+
/*
* Set valid ciphers
*/
diff --git a/sfcb.cfg.pre.in b/sfcb.cfg.pre.in
index 457ffd7..2f78beb 100644
--- a/sfcb.cfg.pre.in
+++ b/sfcb.cfg.pre.in
@@ -228,6 +228,12 @@ sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
## Default is secp224r1
#sslEcDhCurveName: secp224r1
+## When set to true, sets the SSL_OP_CIPHER_SERVER_PREFERENCE flag for the ssl
+## context, to enforce server's preference instead of the client preference for
+## selection of cipher suite. See man SSL_CTX_set_options(3) for details.
+## Default is false
+#enableSslCipherServerPref: false
+
##---------------------------------- UDS --------------------------------------
## These options only apply if configured with --enable-uds
hooks/post-receive
--
sfcb - Small Footprint CIM Broker
|
