aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@highsecure.ru>2016-06-11 16:16:04 +0100
committerVsevolod Stakhov <vsevolod@highsecure.ru>2016-06-11 16:16:04 +0100
commitd64b6c289c8b5e9ad9e53bbb551fa345e4bbe41a (patch)
tree6d2d313cce2f488bc4518a475286006f000d27ec
parent4eac8a4828fa434d94dc662fe3b5426bf396d7be (diff)
downloadrspamd-d64b6c289c8b5e9ad9e53bbb551fa345e4bbe41a.tar.gz
rspamd-d64b6c289c8b5e9ad9e53bbb551fa345e4bbe41a.zip
[Feature] Configure CA path and ciphers
-rw-r--r--src/libserver/cfg_utils.c5
-rw-r--r--src/libutil/util.c29
2 files changed, 26 insertions, 8 deletions
diff --git a/src/libserver/cfg_utils.c b/src/libserver/cfg_utils.c
index 9cdedaabe..9e80cbaa8 100644
--- a/src/libserver/cfg_utils.c
+++ b/src/libserver/cfg_utils.c
@@ -162,11 +162,6 @@ rspamd_config_new (void)
cfg->enable_shutdown_workaround = TRUE;
cfg->ssl_ciphers = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";
-#ifndef FREEBSD
- cfg->ssl_ca_path = "/etc/ssl/certs/ca-certificates.crt";
-#else
- cfg->ssl_ca_path = "/usr/local/etc/ssl/certs/ca-certificates.crt";
-#endif
REF_INIT_RETAIN (cfg, rspamd_config_free);
diff --git a/src/libutil/util.c b/src/libutil/util.c
index 17dc0d644..aaaa09f27 100644
--- a/src/libutil/util.c
+++ b/src/libutil/util.c
@@ -1974,7 +1974,6 @@ rspamd_init_libs (void)
struct rlimit rlim;
struct rspamd_external_libs_ctx *ctx;
struct ottery_config *ottery_cfg;
- static const char secure_ciphers[] = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";
ctx = g_slice_alloc0 (sizeof (*ctx));
ctx->crypto_ctx = rspamd_cryptobox_init ();
@@ -2041,8 +2040,6 @@ rspamd_init_libs (void)
SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_PEER, NULL);
SSL_CTX_set_verify_depth (ctx->ssl_ctx, 4);
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION);
- /* Default settings */
- SSL_CTX_set_cipher_list (ctx->ssl_ctx, secure_ciphers);
#endif
g_random_set_seed (ottery_rand_uint32 ());
@@ -2070,6 +2067,8 @@ void
rspamd_config_libs (struct rspamd_external_libs_ctx *ctx,
struct rspamd_config *cfg)
{
+ static const char secure_ciphers[] = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";
+
g_assert (cfg != NULL);
if (ctx != NULL) {
@@ -2085,6 +2084,30 @@ rspamd_config_libs (struct rspamd_external_libs_ctx *ctx,
(void **) ctx->local_addrs);
}
}
+
+ if (cfg->ssl_ca_path) {
+ if (SSL_CTX_load_verify_locations (ctx->ssl_ctx, cfg->ssl_ca_path,
+ NULL) != 1) {
+ msg_err_config ("cannot load CA certs from %s: %s",
+ cfg->ssl_ca_path,
+ ERR_error_string (ERR_get_error (), NULL));
+ }
+ }
+ else {
+ msg_warn_config ("ssl_ca_path is not set, using default CA path");
+ SSL_CTX_set_default_verify_paths (ctx->ssl_ctx);
+ }
+
+ if (cfg->ssl_ciphers) {
+ if (SSL_CTX_set_cipher_list (ctx->ssl_ctx, cfg->ssl_ciphers) != 1) {
+ msg_err_config ("cannot set ciphers set to %s: %s; fallback to %s",
+ cfg->ssl_ciphers,
+ ERR_error_string (ERR_get_error (), NULL),
+ secure_ciphers);
+ /* Default settings */
+ SSL_CTX_set_cipher_list (ctx->ssl_ctx, secure_ciphers);
+ }
+ }
}
}