[mod_openssl] set Ciphersuites once API available

set Ciphersuites once API is available (SSL_CTX_set_ciphersuites()) in LibreSSL. x-ref: "Add support for TLS 1.3" https://github.com/libressl-portable/portable/issues/228
2 years ago · 14f8f9b21c
parent cb24e1c70b
commit 14f8f9b21c
1 changed files with 11 additions and 3 deletions
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@ -3559,7 +3559,7 @@ mod_openssl_ssl_conf_cmd (server *srv, plugin_config_socket *s)
     * https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html */
    int rc = 0;
    buffer *cipherstring = NULL;
-    /*buffer *ciphersuites = NULL;*/
+    buffer *ciphersuites = NULL;
    buffer *minb = NULL;
    buffer *maxb = NULL;
    buffer *curves = NULL;
@ -3568,10 +3568,8 @@ mod_openssl_ssl_conf_cmd (server *srv, plugin_config_socket *s)
        data_string *ds = (data_string *)s->ssl_conf_cmd->data[i];
        if (buffer_eq_icase_slen(&ds->key, CONST_STR_LEN("CipherString")))
            cipherstring = &ds->value;
-      #if 0
        else if (buffer_eq_icase_slen(&ds->key, CONST_STR_LEN("Ciphersuites")))
            ciphersuites = &ds->value;
-      #endif
        else if (buffer_eq_icase_slen(&ds->key, CONST_STR_LEN("Curves"))
              || buffer_eq_icase_slen(&ds->key, CONST_STR_LEN("Groups")))
            curves = &ds->value;
@ -3665,6 +3663,16 @@ mod_openssl_ssl_conf_cmd (server *srv, plugin_config_socket *s)
            rc = -1;
    }

+    if (!buffer_string_is_empty(ciphersuites)) {
+      #if defined(LIBRESSL_VERSION_NUMBER) && defined(LIBRESSL_HAS_TLS1_3)
+        if (SSL_CTX_set_ciphersuites(s->ssl_ctx, ciphersuites->ptr) != 1) {
+            log_error(srv->errh, __FILE__, __LINE__,
+              "SSL: %s", ERR_error_string(ERR_get_error(), NULL));
+            rc = -1;
+        }
+      #endif
+    }
+
    if (!buffer_string_is_empty(cipherstring)) {
        /* Disable support for low encryption ciphers */
        buffer_append_string_len(cipherstring,