[OpenWrt-Devel] [PATCH uclient] uclient-fetch: support specifying advertised TLS ciphers

Jo-Philipp Wich jo at mein.io
Sat Feb 15 17:56:41 EST 2020


Introduce a new `--ciphers` option which allows specifying a colon separated
list of usable TLS ciphers.

Depending on the underlying ustream-ssl provider, the list either follows
OpenSSL's cipher string format or, in case of mbedTLS, is a simple colon
separated cipher whitelist.

Signed-off-by: Jo-Philipp Wich <jo at mein.io>
---
 uclient-fetch.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/uclient-fetch.c b/uclient-fetch.c
index 38c9c53..a06be5d 100644
--- a/uclient-fetch.c
+++ b/uclient-fetch.c
@@ -467,6 +467,7 @@ static int usage(const char *progname)
 		"HTTPS options:\n"
 		"	--ca-certificate=<cert>		Load CA certificates from file <cert>\n"
 		"	--no-check-certificate		don't validate the server's certificate\n"
+		"	--ciphers=<cipherlist>		Set the cipher list string\n"
 		"\n", progname);
 	return 1;
 }
@@ -510,6 +511,7 @@ static int no_ssl(const char *progname)
 enum {
 	L_NO_CHECK_CERTIFICATE,
 	L_CA_CERTIFICATE,
+	L_CIPHERS,
 	L_USER,
 	L_PASSWORD,
 	L_USER_AGENT,
@@ -525,6 +527,7 @@ enum {
 static const struct option longopts[] = {
 	[L_NO_CHECK_CERTIFICATE] = { "no-check-certificate", no_argument },
 	[L_CA_CERTIFICATE] = { "ca-certificate", required_argument },
+	[L_CIPHERS] = { "ciphers", required_argument },
 	[L_USER] = { "user", required_argument },
 	[L_PASSWORD] = { "password", required_argument },
 	[L_USER_AGENT] = { "user-agent", required_argument },
@@ -568,6 +571,15 @@ int main(int argc, char **argv)
 				if (ssl_ctx)
 					ssl_ops->context_add_ca_crt_file(ssl_ctx, optarg);
 				break;
+			case L_CIPHERS:
+				if (ssl_ctx) {
+					if (ssl_ops->context_set_ciphers(ssl_ctx, optarg)) {
+						if (!quiet)
+							fprintf(stderr, "No recognized ciphers in cipher list\n");
+						exit(1);
+					}
+				}
+				break;
 			case L_USER:
 				if (!strlen(optarg))
 					break;
-- 
2.25.0


_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list