git: 8d098deda378 - main - rpc.tlsservd: Modify the -C option to use SSL_CTX_set_ciphersuites
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 22 May 2022 20:45:54 UTC
The branch main has been updated by rmacklem:
URL: https://cgit.FreeBSD.org/src/commit/?id=8d098deda3786b223e44ad1bed923a6d66dfa341
commit 8d098deda3786b223e44ad1bed923a6d66dfa341
Author: Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2022-05-22 20:44:31 +0000
Commit: Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2022-05-22 20:44:31 +0000
rpc.tlsservd: Modify the -C option to use SSL_CTX_set_ciphersuites
Commit 0b4f2ab0e913 fixes the krpc so that it can use TLS
version 1.3 for NFS-over-TLS, as required by
the draft (someday to be an RFC).
This patch replaces SSL_CTX_set_cipher_list() with
SSL_CTX_set_ciphersuites(), since that is the function
that is used for TLS1.3.
The man page has already been updated.
MFC after: 2 weeks
---
usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
index bbcdba319353..be81b1bab1fc 100644
--- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
+++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
@@ -237,6 +237,7 @@ main(int argc, char **argv)
break;
default:
fprintf(stderr, "usage: %s "
+ "[-C/--ciphers available_ciphers] "
"[-D/--certdir certdir] [-d/--debuglevel] "
"[-h/--checkhost] "
"[-l/--verifylocs CAfile] [-m/--mutualverf] "
@@ -570,14 +571,14 @@ rpctls_setup_ssl(const char *certdir)
if (rpctls_ciphers != NULL) {
/*
- * Set preferred ciphers, since KERN_TLS only supports a
+ * Set available ciphers, since KERN_TLS only supports a
* few of them. Normally, not doing this should be ok,
* since the library defaults will work.
*/
- ret = SSL_CTX_set_cipher_list(ctx, rpctls_ciphers);
+ ret = SSL_CTX_set_ciphersuites(ctx, rpctls_ciphers);
if (ret == 0) {
rpctls_verbose_out("rpctls_setup_ssl: "
- "SSL_CTX_set_cipher_list failed: %s\n",
+ "SSL_CTX_set_ciphersuites failed: %s\n",
rpctls_ciphers);
SSL_CTX_free(ctx);
return (NULL);