Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Allow setting the SSL cipher list in start_tls(). Version 1.1.4.dev2.

  • Loading branch information...
commit acaad8e76b8f4468cf4ff759e03a5784a05c1c21 1 parent e829764
@ibc authored
View
4 ext/cmain.cpp
@@ -453,12 +453,12 @@ extern "C" void evma_start_tls (const unsigned long binding)
evma_set_tls_parms
******************/
-extern "C" void evma_set_tls_parms (const unsigned long binding, const char *privatekey_filename, const char *certchain_filename, int verify_peer, int ssl_version)
+extern "C" void evma_set_tls_parms (const unsigned long binding, const char *privatekey_filename, const char *certchain_filename, int verify_peer, int ssl_version, const char *cipherlist)
{
ensure_eventmachine("evma_set_tls_parms");
EventableDescriptor *ed = dynamic_cast <EventableDescriptor*> (Bindable_t::GetObject (binding));
if (ed)
- ed->SetTlsParms (privatekey_filename, certchain_filename, (verify_peer == 1 ? true : false), ssl_version);
+ ed->SetTlsParms (privatekey_filename, certchain_filename, (verify_peer == 1 ? true : false), ssl_version, cipherlist);
}
/******************
View
6 ext/ed.cpp
@@ -1136,7 +1136,7 @@ void ConnectionDescriptor::StartTls()
if (SslBox)
throw std::runtime_error ("SSL/TLS already running on connection");
- SslBox = new SslBox_t (bIsServer, PrivateKeyFilename, CertChainFilename, bSslVerifyPeer, bSslVersion, GetBinding());
+ SslBox = new SslBox_t (bIsServer, PrivateKeyFilename, CertChainFilename, bSslVerifyPeer, bSslVersion, CipherList, GetBinding());
_DispatchCiphertext();
#endif
@@ -1150,7 +1150,7 @@ void ConnectionDescriptor::StartTls()
ConnectionDescriptor::SetTlsParms
*********************************/
-void ConnectionDescriptor::SetTlsParms (const char *privkey_filename, const char *certchain_filename, bool verify_peer, int ssl_version)
+void ConnectionDescriptor::SetTlsParms (const char *privkey_filename, const char *certchain_filename, bool verify_peer, int ssl_version, const char *cipherlist)
{
#ifdef WITH_SSL
if (SslBox)
@@ -1161,6 +1161,8 @@ void ConnectionDescriptor::SetTlsParms (const char *privkey_filename, const char
CertChainFilename = certchain_filename;
bSslVerifyPeer = verify_peer;
bSslVersion = ssl_version;
+ if (cipherlist && *cipherlist)
+ CipherList = cipherlist;
#endif
#ifdef WITHOUT_SSL
View
5 ext/ed.h
@@ -70,7 +70,7 @@ class EventableDescriptor: public Bindable_t
virtual bool GetSubprocessPid (pid_t*) {return false;}
virtual void StartTls() {}
- virtual void SetTlsParms (const char *privkey_filename, const char *certchain_filename, bool verify_peer, int ssl_version) {}
+ virtual void SetTlsParms (const char *privkey_filename, const char *certchain_filename, bool verify_peer, int ssl_version, const char *cipherlist) {}
#ifdef WITH_SSL
virtual X509 *GetPeerCert() {return NULL;}
@@ -195,7 +195,7 @@ class ConnectionDescriptor: public EventableDescriptor
virtual int GetOutboundDataSize() {return OutboundDataSize;}
virtual void StartTls();
- virtual void SetTlsParms (const char *privkey_filename, const char *certchain_filename, bool verify_peer, int ssl_version);
+ virtual void SetTlsParms (const char *privkey_filename, const char *certchain_filename, bool verify_peer, int ssl_version, const char *cipherlist);
#ifdef WITH_SSL
virtual X509 *GetPeerCert();
@@ -242,6 +242,7 @@ class ConnectionDescriptor: public EventableDescriptor
bool bHandshakeSignaled;
bool bSslVerifyPeer;
int bSslVersion;
+ std::string CipherList;
bool bSslPeerAccepted;
#endif
View
2  ext/eventmachine.h
@@ -69,7 +69,7 @@ extern "C" {
const unsigned long evma_create_unix_domain_server (const char *filename);
const unsigned long evma_open_datagram_socket (const char *server, int port);
const unsigned long evma_open_keyboard();
- void evma_set_tls_parms (const unsigned long binding, const char *privatekey_filename, const char *certchain_filenane, int verify_peer, int ssl_version);
+ void evma_set_tls_parms (const unsigned long binding, const char *privatekey_filename, const char *certchain_filenane, int verify_peer, int ssl_version, const char *cipherlist);
void evma_start_tls (const unsigned long binding);
#ifdef WITH_SSL
View
6 ext/rubymain.cpp
@@ -307,14 +307,14 @@ static VALUE t_start_tls (VALUE self, VALUE signature)
t_set_tls_parms
***************/
-static VALUE t_set_tls_parms (VALUE self, VALUE signature, VALUE privkeyfile, VALUE certchainfile, VALUE verify_peer, VALUE ssl_version)
+static VALUE t_set_tls_parms (VALUE self, VALUE signature, VALUE privkeyfile, VALUE certchainfile, VALUE verify_peer, VALUE ssl_version, VALUE cipherlist)
{
/* set_tls_parms takes a series of positional arguments for specifying such things
* as private keys and certificate chains.
* It's expected that the parameter list will grow as we add more supported features.
* ALL of these parameters are optional, and can be specified as empty or NULL strings.
*/
- evma_set_tls_parms (NUM2ULONG (signature), StringValuePtr (privkeyfile), StringValuePtr (certchainfile), (verify_peer == Qtrue ? 1 : 0), FIX2INT(ssl_version));
+ evma_set_tls_parms (NUM2ULONG(signature), StringValuePtr(privkeyfile), StringValuePtr(certchainfile), (verify_peer == Qtrue ? 1 : 0), FIX2INT(ssl_version), StringValuePtr(cipherlist));
return Qnil;
}
@@ -1216,7 +1216,7 @@ extern "C" void Init_rubyeventmachine()
rb_define_module_function (EmModule, "start_tcp_server", (VALUE(*)(...))t_start_server, 2);
rb_define_module_function (EmModule, "stop_tcp_server", (VALUE(*)(...))t_stop_server, 1);
rb_define_module_function (EmModule, "start_unix_server", (VALUE(*)(...))t_start_unix_server, 1);
- rb_define_module_function (EmModule, "set_tls_parms", (VALUE(*)(...))t_set_tls_parms, 5);
+ rb_define_module_function (EmModule, "set_tls_parms", (VALUE(*)(...))t_set_tls_parms, 6);
rb_define_module_function (EmModule, "start_tls", (VALUE(*)(...))t_start_tls, 1);
rb_define_module_function (EmModule, "get_peer_cert", (VALUE(*)(...))t_get_peer_cert, 1);
rb_define_module_function (EmModule, "send_data", (VALUE(*)(...))t_send_data, 3);
View
11 ext/ssl.cpp
@@ -120,7 +120,7 @@ static void InitializeDefaultCredentials()
SslContext_t::SslContext_t
**************************/
-SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile, int ssl_version):
+SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile, int ssl_version, const string &cipherlist):
pCtx (NULL),
PrivateKey (NULL),
Certificate (NULL)
@@ -188,7 +188,10 @@ SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const str
assert (e > 0);
}
- SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");
+ if (cipherlist.length() > 0)
+ SSL_CTX_set_cipher_list (pCtx, cipherlist.c_str());
+ else
+ SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");
if (is_server) {
SSL_CTX_sess_set_cache_size (pCtx, 128);
@@ -231,7 +234,7 @@ SslContext_t::~SslContext_t()
SslBox_t::SslBox_t
******************/
-SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, int ssl_version, const unsigned long binding):
+SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, int ssl_version, const string &cipherlist, const unsigned long binding):
bIsServer (is_server),
bHandshakeCompleted (false),
bVerifyPeer (verify_peer),
@@ -244,7 +247,7 @@ SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &cer
* a new one every time we come here.
*/
- Context = new SslContext_t (bIsServer, privkeyfile, certchainfile, ssl_version);
+ Context = new SslContext_t (bIsServer, privkeyfile, certchainfile, ssl_version, cipherlist);
assert (Context);
pbioRead = BIO_new (BIO_s_mem());
View
4 ext/ssl.h
@@ -33,7 +33,7 @@ class SslContext_t
class SslContext_t
{
public:
- SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile, int ssl_version);
+ SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile, int ssl_version, const string &cipherlist);
virtual ~SslContext_t();
private:
@@ -57,7 +57,7 @@ class SslBox_t
class SslBox_t
{
public:
- SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, int ssl_version, const unsigned long binding);
+ SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, int ssl_version, const string &cipherlist, const unsigned long binding);
virtual ~SslBox_t();
int PutPlaintext (const char*, int);
View
6 lib/em/connection.rb
@@ -395,6 +395,8 @@ def connection_completed
#
# @option args [Symbol] :ssl_version (:SSLv23) indicates the version of SSL to use. Valid values are :SSLv23, :SSLv3 and TLSv1. Default value is :SSLv23.
#
+ # @option cipher_list [String] :cipher_list ("ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH") indicates the available SSL cipher values.
+ #
# @example Using TLS with EventMachine
#
# require 'rubygems'
@@ -419,7 +421,7 @@ def connection_completed
#
# @see #ssl_verify_peer
def start_tls args={}
- priv_key, cert_chain, verify_peer, ssl_version = args.values_at(:private_key_file, :cert_chain_file, :verify_peer, :ssl_version)
+ priv_key, cert_chain, verify_peer, ssl_version, cipher_list = args.values_at(:private_key_file, :cert_chain_file, :verify_peer, :ssl_version, :cipher_list)
[priv_key, cert_chain].each do |file|
next if file.nil? or file.empty?
@@ -438,7 +440,7 @@ def start_tls args={}
else ; raise "invalid value #{ssl_version.inspect} for :ssl_version"
end
- EventMachine::set_tls_parms(@signature, priv_key || '', cert_chain || '', verify_peer, ssl_version)
+ EventMachine::set_tls_parms(@signature, priv_key || '', cert_chain || '', verify_peer, ssl_version, cipher_list || '')
EventMachine::start_tls @signature
end
View
2  lib/em/version.rb
@@ -1,3 +1,3 @@
module EventMachine
- VERSION = "1.1.4.dev1"
+ VERSION = "1.1.4.dev2"
end
Please sign in to comment.
Something went wrong with that request. Please try again.