Skip to content

Commit

Permalink
Added support to configure ciphers in ssl, previously the ciphers = V…
Browse files Browse the repository at this point in the history 
…al stricng in yaws.conf required the Val to be a string according the openssl cipher string spec language. Now we specify an erlang list instead, the list shall comply to the output of ssl:cipher_suites()
  • Loading branch information
Claes Wikstrom committed Sep 10, 2012
1 parent 2ad166a commit 8551256
Show file tree
Hide file tree
Showing 2 changed files with 65 additions and 13 deletions.
8 changes: 6 additions & 2 deletions man/yaws.conf.5
View file
Original file line number Diff line number Diff line change
Expand Up @@ -880,8 +880,12 @@ decrypt it.
\fBciphers = String\fR
.RS 12
This string specifies the SSL cipher string. The syntax of the SSL cipher string
is a little horrible sublanguage of its own. It is documented in the SSL man
page for "ciphers".
is an erlang term compliant with the output of ssl:cipher_suites().
.nf

ciphers = "[{dhe_rsa,aes_256_cbc,sha}, \\
{dhe_dss,aes_256_cbc,sha}]"
.fi
.RE
.HP

Expand Down
70 changes: 59 additions & 11 deletions src/yaws_config.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@
-include("../include/yaws_api.hrl").
-include("yaws_debug.hrl").


-include_lib("kernel/include/file.hrl").

-export([load/1,
Expand Down Expand Up @@ -1292,9 +1291,8 @@ fload(FD, server, GC, C, Cs, Lno, Chars) ->
end;



fload(FD, ssl, GC, C, Cs, Lno, Chars) ->
Next = io:get_line(FD, ''),
Next = io_get_line(FD, '', []),
case toks(Lno, Chars) of
[] ->
fload(FD, ssl, GC, C, Cs, Lno+1, Next);
Expand Down Expand Up @@ -1386,13 +1384,28 @@ fload(FD, ssl, GC, C, Cs, Lno, Chars) ->
[Lno])}
end;
["ciphers", '=', Val] ->
if
is_record(C#sconf.ssl, ssl) ->
C2 = C#sconf{ssl = (C#sconf.ssl)#ssl{ciphers = Val}},
fload(FD, ssl, GC, C2, Cs, Lno+1, Next);
true ->
{error, ?F("Need to set option ssl to true before line ~w",
[Lno])}
try
L = str2term(Val),
io:format("L = ~p~n",[L]),
Ciphers = ssl:cipher_suites(),
case check_ciphers(L, Ciphers) of
ok ->
if
is_record(C#sconf.ssl, ssl) ->
C2 = C#sconf{ssl = (C#sconf.ssl)#ssl{
ciphers = L}},
fload(FD, ssl, GC, C2, Cs, Lno+1, Next);
true ->
{error, ?F("Need to set option ssl to "
"true before line ~w",
[Lno])}
end;
Err ->
Err
end
catch _:Err2 ->
io:format("~p~n", [Err2]),
{error, ?F("Bad cipherspec at line ~w", [Lno])}
end;
['<', "/ssl", '>'] ->
fload(FD, server, GC, C, Cs, Lno+1, Next);
Expand Down Expand Up @@ -1868,7 +1881,7 @@ is_string_char([C|T]) ->
end.

is_special(C) ->
lists:member(C, [$=, $<, $>, $,]).
lists:member(C, [$=, $[, $], ${, $}, $, ,$<, $>, $,]).

%% parse the argument string PLString which can either be the undefined
%% atom or a proplist. Currently the only supported keys are
Expand Down Expand Up @@ -2523,3 +2536,38 @@ subconfigdir_fold(File, {ok, GCp, Csp}=Acc) ->
%% Ignore subdirectories
Acc
end.

str2term(Str0) ->
Str=Str0++".",
{ok,Tokens,_EndLine} = erl_scan:string(Str),
{ok,AbsForm} = erl_parse:parse_exprs(Tokens),
{value,Value,_Bs} = erl_eval:exprs(AbsForm, erl_eval:new_bindings()),
Value.

check_ciphers([], _) ->
ok;
check_ciphers([Spec|Specs], L) ->
case lists:member(Spec, L) of
true ->
check_ciphers(Specs, L);
false ->
{error, ?F("Bad cipherspec ~p",[Spec])}
end;
check_ciphers(X,_) ->
{error, ?F("Bad cipherspec ~p",[X])}.



io_get_line(FD, Prompt, Acc) ->
Next = io:get_line(FD, Prompt),
if
is_list(Next) ->
case lists:reverse(Next) of
[$\n, $\\ |More] ->
io_get_line(FD, Prompt, Acc ++ lists:reverse(More));
_ ->
Acc ++ Next
end;
true ->
Next
end.

0 comments on commit 8551256

Please sign in to comment.