wolfssl: support setting cipher list

author Dan Fandrich <dan@coneharvesters.com>

Fri, 6 Jan 2017 22:00:45 +0000 (23:00 +0100)

committer Dan Fandrich <dan@coneharvesters.com>

Fri, 6 Jan 2017 22:02:09 +0000 (23:02 +0100)
author Dan Fandrich <dan@coneharvesters.com>
Fri, 6 Jan 2017 22:00:45 +0000 (23:00 +0100)
committer Dan Fandrich <dan@coneharvesters.com>
Fri, 6 Jan 2017 22:02:09 +0000 (23:02 +0100)
diff --git a/docs/CIPHERS.md b/docs/CIPHERS.md

index 9e84820985dae2e36703a7141770c379acd1605d..99d261bdd63edc1b60f6fc7cb3c7ba8677a0b1b6 100644 (file)
--- a/docs/CIPHERS.md
+++ b/docs/CIPHERS.md
@@ -311,3 +311,116 @@ but libcurl maps them to the following case-insensitive names.
  `aes256-sha256`
  `aes128-gcm-sha256`
  `aes256-gcm-sha384`
+
+## WolfSSL
+
+`RC4-SHA`,
+`RC4-MD5`,
+`DES-CBC3-SHA`,
+`AES128-SHA`,
+`AES256-SHA`,
+`NULL-SHA`,
+`NULL-SHA256`,
+`DHE-RSA-AES128-SHA`,
+`DHE-RSA-AES256-SHA`,
+`DHE-PSK-AES256-GCM-SHA384`,
+`DHE-PSK-AES128-GCM-SHA256`,
+`PSK-AES256-GCM-SHA384`,
+`PSK-AES128-GCM-SHA256`,
+`DHE-PSK-AES256-CBC-SHA384`,
+`DHE-PSK-AES128-CBC-SHA256`,
+`PSK-AES256-CBC-SHA384`,
+`PSK-AES128-CBC-SHA256`,
+`PSK-AES128-CBC-SHA`,
+`PSK-AES256-CBC-SHA`,
+`DHE-PSK-AES128-CCM`,
+`DHE-PSK-AES256-CCM`,
+`PSK-AES128-CCM`,
+`PSK-AES256-CCM`,
+`PSK-AES128-CCM-8`,
+`PSK-AES256-CCM-8`,
+`DHE-PSK-NULL-SHA384`,
+`DHE-PSK-NULL-SHA256`,
+`PSK-NULL-SHA384`,
+`PSK-NULL-SHA256`,
+`PSK-NULL-SHA`,
+`HC128-MD5`,
+`HC128-SHA`,
+`HC128-B2B256`,
+`AES128-B2B256`,
+`AES256-B2B256`,
+`RABBIT-SHA`,
+`NTRU-RC4-SHA`,
+`NTRU-DES-CBC3-SHA`,
+`NTRU-AES128-SHA`,
+`NTRU-AES256-SHA`,
+`AES128-CCM-8`,
+`AES256-CCM-8`,
+`ECDHE-ECDSA-AES128-CCM`,
+`ECDHE-ECDSA-AES128-CCM-8`,
+`ECDHE-ECDSA-AES256-CCM-8`,
+`ECDHE-RSA-AES128-SHA`,
+`ECDHE-RSA-AES256-SHA`,
+`ECDHE-ECDSA-AES128-SHA`,
+`ECDHE-ECDSA-AES256-SHA`,
+`ECDHE-RSA-RC4-SHA`,
+`ECDHE-RSA-DES-CBC3-SHA`,
+`ECDHE-ECDSA-RC4-SHA`,
+`ECDHE-ECDSA-DES-CBC3-SHA`,
+`AES128-SHA256`,
+`AES256-SHA256`,
+`DHE-RSA-AES128-SHA256`,
+`DHE-RSA-AES256-SHA256`,
+`ECDH-RSA-AES128-SHA`,
+`ECDH-RSA-AES256-SHA`,
+`ECDH-ECDSA-AES128-SHA`,
+`ECDH-ECDSA-AES256-SHA`,
+`ECDH-RSA-RC4-SHA`,
+`ECDH-RSA-DES-CBC3-SHA`,
+`ECDH-ECDSA-RC4-SHA`,
+`ECDH-ECDSA-DES-CBC3-SHA`,
+`AES128-GCM-SHA256`,
+`AES256-GCM-SHA384`,
+`DHE-RSA-AES128-GCM-SHA256`,
+`DHE-RSA-AES256-GCM-SHA384`,
+`ECDHE-RSA-AES128-GCM-SHA256`,
+`ECDHE-RSA-AES256-GCM-SHA384`,
+`ECDHE-ECDSA-AES128-GCM-SHA256`,
+`ECDHE-ECDSA-AES256-GCM-SHA384`,
+`ECDH-RSA-AES128-GCM-SHA256`,
+`ECDH-RSA-AES256-GCM-SHA384`,
+`ECDH-ECDSA-AES128-GCM-SHA256`,
+`ECDH-ECDSA-AES256-GCM-SHA384`,
+`CAMELLIA128-SHA`,
+`DHE-RSA-CAMELLIA128-SHA`,
+`CAMELLIA256-SHA`,
+`DHE-RSA-CAMELLIA256-SHA`,
+`CAMELLIA128-SHA256`,
+`DHE-RSA-CAMELLIA128-SHA256`,
+`CAMELLIA256-SHA256`,
+`DHE-RSA-CAMELLIA256-SHA256`,
+`ECDHE-RSA-AES128-SHA256`,
+`ECDHE-ECDSA-AES128-SHA256`,
+`ECDH-RSA-AES128-SHA256`,
+`ECDH-ECDSA-AES128-SHA256`,
+`ECDHE-RSA-AES256-SHA384`,
+`ECDHE-ECDSA-AES256-SHA384`,
+`ECDH-RSA-AES256-SHA384`,
+`ECDH-ECDSA-AES256-SHA384`,
+`ECDHE-RSA-CHACHA20-POLY1305`,
+`ECDHE-ECDSA-CHACHA20-POLY1305`,
+`DHE-RSA-CHACHA20-POLY1305`,
+`ECDHE-RSA-CHACHA20-POLY1305-OLD`,
+`ECDHE-ECDSA-CHACHA20-POLY1305-OLD`,
+`DHE-RSA-CHACHA20-POLY1305-OLD`,
+`ADH-AES128-SHA`,
+`QSH`,
+`RENEGOTIATION-INFO`,
+`IDEA-CBC-SHA`,
+`ECDHE-ECDSA-NULL-SHA`,
+`ECDHE-PSK-NULL-SHA256`,
+`ECDHE-PSK-AES128-CBC-SHA256`,
+`PSK-CHACHA20-POLY1305`,
+`ECDHE-PSK-CHACHA20-POLY1305`,
+`DHE-PSK-CHACHA20-POLY1305`,
+`EDH-RSA-DES-CBC3-SHA`,
diff --git a/docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.3 b/docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.3

index f6b9459943886fa9e729258b2c78efb426028aa3..5f3668a720c075667db9f2d4719328b36020f781 100644 (file)
--- a/docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.3
@@ -46,6 +46,9 @@ For NSS, valid examples of cipher lists include 'rsa_rc4_128_md5',
  \'rsa_aes_128_sha\', etc. With NSS you don't add/remove ciphers. If one uses
  this option then all known ciphers are disabled and only those passed in are
  enabled.
+
+For WolfSSL, valid examples of cipher lists include
+\'ECDHE-RSA-RC4-SHA\', 'AES256-SHA:AES256-SHA256', etc.
  .SH DEFAULT
  NULL, use internal default
  .SH PROTOCOLS
diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c

index 3346daa053fc1f7483491c3d7437eada06458bc5..f494a011dde44a9953b060a40b69ddd44438bcf0 100644 (file)
--- a/lib/vtls/cyassl.c
+++ b/lib/vtls/cyassl.c
@@ -134,6 +134,7 @@ cyassl_connect_step1(struct connectdata *conn,
                       int sockindex)
  {
    char error_buffer[CYASSL_MAX_ERROR_SZ];
+  char *ciphers;
    struct Curl_easy *data = conn->data;
    struct ssl_connect_data* conssl = &conn->ssl[sockindex];
    SSL_METHOD* req_method = NULL;
@@ -229,6 +230,15 @@ cyassl_connect_step1(struct connectdata *conn,
      break;
    }
  
+  ciphers = SSL_CONN_CONFIG(cipher_list);
+  if(ciphers) {
+    if(!SSL_CTX_set_cipher_list(conssl->ctx, ciphers)) {
+      failf(data, "failed setting cipher list: %s", ciphers);
+      return CURLE_SSL_CIPHER;
+    }
+    infof(data, "Cipher selection: %s\n", ciphers);
+  }
+
  #ifndef NO_FILESYSTEM
    /* load trusted cacert */
    if(SSL_CONN_CONFIG(CAfile)) {
author	Dan Fandrich <dan@coneharvesters.com>
	Fri, 6 Jan 2017 22:00:45 +0000 (23:00 +0100)
committer	Dan Fandrich <dan@coneharvesters.com>
	Fri, 6 Jan 2017 22:02:09 +0000 (23:02 +0100)
docs/CIPHERS.md		patch \| blob \| blame \| history
docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.3		patch \| blob \| blame \| history
lib/vtls/cyassl.c		patch \| blob \| blame \| history