From 3bd3a41e973cc92c303ccfdba5116cb371bc7894 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Sat, 14 May 2016 08:34:29 +0800 Subject: [PATCH] lwsws conf allow setting cipher list and ecdh curve Signed-off-by: Andy Green --- README.lwsws.md | 6 ++++++ lwsws/conf.c | 10 ++++++++++ 2 files changed, 16 insertions(+) diff --git a/README.lwsws.md b/README.lwsws.md index 9d6c82a3..96174d19 100644 --- a/README.lwsws.md +++ b/README.lwsws.md @@ -188,6 +188,12 @@ Other vhost options - "`access-log`": "filepath" sets where apache-compatible access logs will be written + - "`ciphers`": "" sets the allowed list of ciphers and key exchange protocols for the vhost. The default list is restricted to only those providing PFS (Perfect Forward Secrecy) on the author's Fedora system. + + If you need to allow weaker ciphers,you can provide an alternative list here per-vhost. + + - "`ecdh-curve`": "" The default ecdh curve is "prime256v1", but you can override it here, per-vhost + Mounts ------ diff --git a/lwsws/conf.c b/lwsws/conf.c index f222ed64..ce77d940 100644 --- a/lwsws/conf.c +++ b/lwsws/conf.c @@ -64,6 +64,8 @@ static const char * const paths_vhosts[] = { "vhosts[].ws-protocols[].*", "vhosts[].ws-protocols[]", "vhosts[].keepalive_timeout", + "vhosts[].ciphers", + "vhosts[].ecdh-curve", }; enum lejp_vhost_paths { @@ -91,6 +93,8 @@ enum lejp_vhost_paths { LEJPVP_PROTOCOL_NAME, LEJPVP_PROTOCOL, LEJPVP_KEEPALIVE_TIMEOUT, + LEJPVP_CIPHERS, + LEJPVP_ECDH_CURVE, }; #define MAX_PLUGIN_DIRS 10 @@ -374,6 +378,12 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason) case LEJPVP_KEEPALIVE_TIMEOUT: a->info->keepalive_timeout = atoi(ctx->buf); return 0; + case LEJPVP_CIPHERS: + a->info->ssl_cipher_list = a->p; + break; + case LEJPVP_ECDH_CURVE: + a->info->ecdh_curve = a->p; + break; case LEJPVP_CGI_ENV: mp_cgienv = lwsws_align(a); a->p += sizeof(*a->m.cgienv);