The branch stable/13 has been updated by rmacklem:
URL:
https://cgit.FreeBSD.org/src/commit/?id=146e1dbbf6b9634a5cd06e1b5ff81d417627fcae
commit 146e1dbbf6b9634a5cd06e1b5ff81d417627fcae
Author: Rick Macklem <rmack...@freebsd.org>
AuthorDate: 2022-05-05 22:54:14 +0000
Commit: Rick Macklem <rmack...@freebsd.org>
CommitDate: 2022-06-03 02:09:41 +0000
rpc.tlsservd: Add a -C command line option for preferred_ciphers
rpc.tlsclntd has a -C command line option for setting
preferred_ciphers. Testing at a recent IETF NFSv4 testing
event showed that setting preferred_ciphers is not normally
needed for the rpc.tlsservd.
This patch modifies rpc.tlsservd to not specify preferred_ciphers
by default, but provides the same -C option as rpc.tlsclntd to
set preferred_ciphers, in case it is needed.
The man page update will be done as a separate commit.
(cherry picked from commit 712aac1389e8476ff3da98fd7ec80bf71fc601f4)
---
usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 31 ++++++++++++++++++++-----------
1 file changed, 20 insertions(+), 11 deletions(-)
diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
index 16dd3e9c2d8b..2e27a112b6e2 100644
--- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
+++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
@@ -104,6 +104,7 @@ static uint64_t rpctls_ssl_usec = 0;
static bool rpctls_cnuser = false;
static char *rpctls_dnsname;
static const char *rpctls_cnuseroid = "1.3.6.1.4.1.2238.1.1.1";
+static const char *rpctls_ciphers = NULL;
static void rpctlssd_terminate(int);
static SSL_CTX *rpctls_setup_ssl(const char *certdir);
@@ -118,6 +119,7 @@ static void rpctls_huphandler(int sig __unused);
extern void rpctlssd_1(struct svc_req *rqstp, SVCXPRT *transp);
static struct option longopts[] = {
+ { "ciphers", required_argument, NULL, 'C' },
{ "certdir", required_argument, NULL, 'D' },
{ "debuglevel", no_argument, NULL, 'd' },
{ "checkhost", no_argument, NULL, 'h' },
@@ -179,9 +181,12 @@ main(int argc, char **argv)
debug = 0;
rpctls_verbose = false;
- while ((ch = getopt_long(argc, argv, "D:dhl:n:mp:r:uvWw", longopts,
+ while ((ch = getopt_long(argc, argv, "CD:dhl:n:mp:r:uvWw", longopts,
NULL)) != -1) {
switch (ch) {
+ case 'C':
+ rpctls_ciphers = optarg;
+ break;
case 'D':
rpctls_certdir = optarg;
break;
@@ -559,16 +564,20 @@ rpctls_setup_ssl(const char *certdir)
}
SSL_CTX_set_ecdh_auto(ctx, 1);
- /*
- * Set preferred ciphers, since KERN_TLS only supports a
- * few of them.
- */
- ret = SSL_CTX_set_cipher_list(ctx, _PREFERRED_CIPHERS);
- if (ret == 0) {
- rpctls_verbose_out("rpctls_setup_ssl: "
- "SSL_CTX_set_cipher_list failed to set any ciphers\n");
- SSL_CTX_free(ctx);
- return (NULL);
+ if (rpctls_ciphers != NULL) {
+ /*
+ * Set preferred ciphers, since KERN_TLS only supports a
+ * few of them. Normally, not doing this should be ok,
+ * since the library defaults will work.
+ */
+ ret = SSL_CTX_set_cipher_list(ctx, rpctls_ciphers);
+ if (ret == 0) {
+ rpctls_verbose_out("rpctls_setup_ssl: "
+ "SSL_CTX_set_cipher_list failed: %s\n",
+ rpctls_ciphers);
+ SSL_CTX_free(ctx);
+ return (NULL);
+ }
}
/* Get the cert.pem and certkey.pem files from the directory certdir. */
