aboutsummaryrefslogtreecommitdiffstats
path: root/src/libutil
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@highsecure.ru>2016-06-11 16:16:04 +0100
committerVsevolod Stakhov <vsevolod@highsecure.ru>2016-06-11 16:16:04 +0100
commitd64b6c289c8b5e9ad9e53bbb551fa345e4bbe41a (patch)
tree6d2d313cce2f488bc4518a475286006f000d27ec /src/libutil
parent4eac8a4828fa434d94dc662fe3b5426bf396d7be (diff)
downloadrspamd-d64b6c289c8b5e9ad9e53bbb551fa345e4bbe41a.tar.gz
rspamd-d64b6c289c8b5e9ad9e53bbb551fa345e4bbe41a.zip
[Feature] Configure CA path and ciphers
Diffstat (limited to 'src/libutil')
-rw-r--r--src/libutil/util.c29
1 files changed, 26 insertions, 3 deletions
diff --git a/src/libutil/util.c b/src/libutil/util.c
index 17dc0d644..aaaa09f27 100644
--- a/src/libutil/util.c
+++ b/src/libutil/util.c
@@ -1974,7 +1974,6 @@ rspamd_init_libs (void)
struct rlimit rlim;
struct rspamd_external_libs_ctx *ctx;
struct ottery_config *ottery_cfg;
- static const char secure_ciphers[] = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";
ctx = g_slice_alloc0 (sizeof (*ctx));
ctx->crypto_ctx = rspamd_cryptobox_init ();
@@ -2041,8 +2040,6 @@ rspamd_init_libs (void)
SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_PEER, NULL);
SSL_CTX_set_verify_depth (ctx->ssl_ctx, 4);
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION);
- /* Default settings */
- SSL_CTX_set_cipher_list (ctx->ssl_ctx, secure_ciphers);
#endif
g_random_set_seed (ottery_rand_uint32 ());
@@ -2070,6 +2067,8 @@ void
rspamd_config_libs (struct rspamd_external_libs_ctx *ctx,
struct rspamd_config *cfg)
{
+ static const char secure_ciphers[] = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";
+
g_assert (cfg != NULL);
if (ctx != NULL) {
@@ -2085,6 +2084,30 @@ rspamd_config_libs (struct rspamd_external_libs_ctx *ctx,
(void **) ctx->local_addrs);
}
}
+
+ if (cfg->ssl_ca_path) {
+ if (SSL_CTX_load_verify_locations (ctx->ssl_ctx, cfg->ssl_ca_path,
+ NULL) != 1) {
+ msg_err_config ("cannot load CA certs from %s: %s",
+ cfg->ssl_ca_path,
+ ERR_error_string (ERR_get_error (), NULL));
+ }
+ }
+ else {
+ msg_warn_config ("ssl_ca_path is not set, using default CA path");
+ SSL_CTX_set_default_verify_paths (ctx->ssl_ctx);
+ }
+
+ if (cfg->ssl_ciphers) {
+ if (SSL_CTX_set_cipher_list (ctx->ssl_ctx, cfg->ssl_ciphers) != 1) {
+ msg_err_config ("cannot set ciphers set to %s: %s; fallback to %s",
+ cfg->ssl_ciphers,
+ ERR_error_string (ERR_get_error (), NULL),
+ secure_ciphers);
+ /* Default settings */
+ SSL_CTX_set_cipher_list (ctx->ssl_ctx, secure_ciphers);
+ }
+ }
}
}