@@ -405,6 +405,9 @@ struct rspamd_config { | |||
struct rspamd_config_post_load_script *on_load; /**< list of scripts executed on config load */ | |||
gchar *ssl_ca_path; /**< path to CA certs */ | |||
gchar *ssl_ciphers; /**< set of preferred ciphers */ | |||
ref_entry_t ref; /**< reference counter */ | |||
}; | |||
@@ -1924,6 +1924,18 @@ rspamd_rcl_config_init (struct rspamd_config *cfg) | |||
G_STRUCT_OFFSET (struct rspamd_config, ignore_received), | |||
0, | |||
"Ignore data from the first received header"); | |||
rspamd_rcl_add_default_handler (sub, | |||
"ssl_ca_path", | |||
rspamd_rcl_parse_struct_string, | |||
G_STRUCT_OFFSET (struct rspamd_config, ssl_ca_path), | |||
RSPAMD_CL_FLAG_STRING_PATH, | |||
"Path to ssl CA file"); | |||
rspamd_rcl_add_default_handler (sub, | |||
"ssl_ciphers", | |||
rspamd_rcl_parse_struct_string, | |||
G_STRUCT_OFFSET (struct rspamd_config, ssl_ciphers), | |||
0, | |||
"List of ssl ciphers (e.g. HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)"); | |||
/* New DNS configuration */ | |||
ssub = rspamd_rcl_add_section_doc (&sub->subsections, "dns", NULL, NULL, | |||
UCL_OBJECT, FALSE, TRUE, |
@@ -161,6 +161,13 @@ rspamd_config_new (void) | |||
*/ | |||
cfg->enable_shutdown_workaround = TRUE; | |||
cfg->ssl_ciphers = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4"; | |||
#ifndef FREEBSD | |||
cfg->ssl_ca_path = "/etc/ssl/certs/ca-certificates.crt"; | |||
#else | |||
cfg->ssl_ca_path = "/usr/local/etc/ssl/certs/ca-certificates.crt"; | |||
#endif | |||
REF_INIT_RETAIN (cfg, rspamd_config_free); | |||
return cfg; |
@@ -29,6 +29,8 @@ | |||
#include <openssl/err.h> | |||
#include <openssl/evp.h> | |||
#include <openssl/ssl.h> | |||
#include <openssl/conf.h> | |||
#include <openssl/engine.h> | |||
#endif | |||
#ifdef HAVE_TERMIOS_H | |||
@@ -2009,8 +2011,22 @@ rspamd_init_libs (void) | |||
OpenSSL_add_all_algorithms (); | |||
OpenSSL_add_all_digests (); | |||
OpenSSL_add_all_ciphers (); | |||
#if OPENSSL_VERSION_NUMBER >= 0x1000104fL | |||
ENGINE_load_builtin_engines (); | |||
if ((ctx->crypto_ctx->cpu_config & CPUID_RDRAND) == 0) { | |||
RAND_set_rand_engine (NULL); | |||
} | |||
#endif | |||
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | |||
SSL_library_init (); | |||
#else | |||
OPENSSL_init_ssl (0, NULL); | |||
#endif | |||
SSL_library_init (); | |||
SSL_load_error_strings (); | |||
OPENSSL_config (NULL); | |||
if (RAND_poll () == 0) { | |||
guchar seed[128]; |