diff options
author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2016-06-11 16:16:04 +0100 |
---|---|---|
committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2016-06-11 16:16:04 +0100 |
commit | d64b6c289c8b5e9ad9e53bbb551fa345e4bbe41a (patch) | |
tree | 6d2d313cce2f488bc4518a475286006f000d27ec | |
parent | 4eac8a4828fa434d94dc662fe3b5426bf396d7be (diff) | |
download | rspamd-d64b6c289c8b5e9ad9e53bbb551fa345e4bbe41a.tar.gz rspamd-d64b6c289c8b5e9ad9e53bbb551fa345e4bbe41a.zip |
[Feature] Configure CA path and ciphers
-rw-r--r-- | src/libserver/cfg_utils.c | 5 | ||||
-rw-r--r-- | src/libutil/util.c | 29 |
2 files changed, 26 insertions, 8 deletions
diff --git a/src/libserver/cfg_utils.c b/src/libserver/cfg_utils.c index 9cdedaabe..9e80cbaa8 100644 --- a/src/libserver/cfg_utils.c +++ b/src/libserver/cfg_utils.c @@ -162,11 +162,6 @@ rspamd_config_new (void) cfg->enable_shutdown_workaround = TRUE; cfg->ssl_ciphers = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4"; -#ifndef FREEBSD - cfg->ssl_ca_path = "/etc/ssl/certs/ca-certificates.crt"; -#else - cfg->ssl_ca_path = "/usr/local/etc/ssl/certs/ca-certificates.crt"; -#endif REF_INIT_RETAIN (cfg, rspamd_config_free); diff --git a/src/libutil/util.c b/src/libutil/util.c index 17dc0d644..aaaa09f27 100644 --- a/src/libutil/util.c +++ b/src/libutil/util.c @@ -1974,7 +1974,6 @@ rspamd_init_libs (void) struct rlimit rlim; struct rspamd_external_libs_ctx *ctx; struct ottery_config *ottery_cfg; - static const char secure_ciphers[] = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4"; ctx = g_slice_alloc0 (sizeof (*ctx)); ctx->crypto_ctx = rspamd_cryptobox_init (); @@ -2041,8 +2040,6 @@ rspamd_init_libs (void) SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_PEER, NULL); SSL_CTX_set_verify_depth (ctx->ssl_ctx, 4); SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION); - /* Default settings */ - SSL_CTX_set_cipher_list (ctx->ssl_ctx, secure_ciphers); #endif g_random_set_seed (ottery_rand_uint32 ()); @@ -2070,6 +2067,8 @@ void rspamd_config_libs (struct rspamd_external_libs_ctx *ctx, struct rspamd_config *cfg) { + static const char secure_ciphers[] = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4"; + g_assert (cfg != NULL); if (ctx != NULL) { @@ -2085,6 +2084,30 @@ rspamd_config_libs (struct rspamd_external_libs_ctx *ctx, (void **) ctx->local_addrs); } } + + if (cfg->ssl_ca_path) { + if (SSL_CTX_load_verify_locations (ctx->ssl_ctx, cfg->ssl_ca_path, + NULL) != 1) { + msg_err_config ("cannot load CA certs from %s: %s", + cfg->ssl_ca_path, + ERR_error_string (ERR_get_error (), NULL)); + } + } + else { + msg_warn_config ("ssl_ca_path is not set, using default CA path"); + SSL_CTX_set_default_verify_paths (ctx->ssl_ctx); + } + + if (cfg->ssl_ciphers) { + if (SSL_CTX_set_cipher_list (ctx->ssl_ctx, cfg->ssl_ciphers) != 1) { + msg_err_config ("cannot set ciphers set to %s: %s; fallback to %s", + cfg->ssl_ciphers, + ERR_error_string (ERR_get_error (), NULL), + secure_ciphers); + /* Default settings */ + SSL_CTX_set_cipher_list (ctx->ssl_ctx, secure_ciphers); + } + } } } |