From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Sat, 11 Jun 2016 12:40:44 +0000 (+0100)
Subject: [Feature] Allow to set ciphers and CA paths in config
X-Git-Tag: 1.3.0~371
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4eac8a4828fa434d94dc662fe3b5426bf396d7be;p=thirdparty%2Frspamd.git

[Feature] Allow to set ciphers and CA paths in config
---

diff --git a/src/libserver/cfg_file.h b/src/libserver/cfg_file.h
index e14fbd90a9..93470c0f30 100644
--- a/src/libserver/cfg_file.h
+++ b/src/libserver/cfg_file.h
@@ -405,6 +405,9 @@ struct rspamd_config {
 
 	struct rspamd_config_post_load_script *on_load;	/**< list of scripts executed on config load			*/
 
+	gchar *ssl_ca_path;								/**< path to CA certs									*/
+	gchar *ssl_ciphers;							/**< set of preferred ciphers							*/
+
 	ref_entry_t ref;								/**< reference counter									*/
 };
 
diff --git a/src/libserver/cfg_rcl.c b/src/libserver/cfg_rcl.c
index 50e5893a87..7b7c764203 100644
--- a/src/libserver/cfg_rcl.c
+++ b/src/libserver/cfg_rcl.c
@@ -1924,6 +1924,18 @@ rspamd_rcl_config_init (struct rspamd_config *cfg)
 			G_STRUCT_OFFSET (struct rspamd_config, ignore_received),
 			0,
 			"Ignore data from the first received header");
+	rspamd_rcl_add_default_handler (sub,
+			"ssl_ca_path",
+			rspamd_rcl_parse_struct_string,
+			G_STRUCT_OFFSET (struct rspamd_config, ssl_ca_path),
+			RSPAMD_CL_FLAG_STRING_PATH,
+			"Path to ssl CA file");
+	rspamd_rcl_add_default_handler (sub,
+			"ssl_ciphers",
+			rspamd_rcl_parse_struct_string,
+			G_STRUCT_OFFSET (struct rspamd_config, ssl_ciphers),
+			0,
+			"List of ssl ciphers (e.g. HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)");
 	/* New DNS configuration */
 	ssub = rspamd_rcl_add_section_doc (&sub->subsections, "dns", NULL, NULL,
 			UCL_OBJECT, FALSE, TRUE,
diff --git a/src/libserver/cfg_utils.c b/src/libserver/cfg_utils.c
index 85fd6af80a..9cdedaabe6 100644
--- a/src/libserver/cfg_utils.c
+++ b/src/libserver/cfg_utils.c
@@ -161,6 +161,13 @@ rspamd_config_new (void)
 	 */
 	cfg->enable_shutdown_workaround = TRUE;
 
+	cfg->ssl_ciphers = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";
+#ifndef FREEBSD
+	cfg->ssl_ca_path = "/etc/ssl/certs/ca-certificates.crt";
+#else
+	cfg->ssl_ca_path = "/usr/local/etc/ssl/certs/ca-certificates.crt";
+#endif
+
 	REF_INIT_RETAIN (cfg, rspamd_config_free);
 
 	return cfg;
diff --git a/src/libutil/util.c b/src/libutil/util.c
index 10753ec93c..17dc0d644b 100644
--- a/src/libutil/util.c
+++ b/src/libutil/util.c
@@ -29,6 +29,8 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/ssl.h>
+#include <openssl/conf.h>
+#include <openssl/engine.h>
 #endif
 
 #ifdef HAVE_TERMIOS_H
@@ -2009,8 +2011,22 @@ rspamd_init_libs (void)
 	OpenSSL_add_all_algorithms ();
 	OpenSSL_add_all_digests ();
 	OpenSSL_add_all_ciphers ();
+
+#if OPENSSL_VERSION_NUMBER >= 0x1000104fL
+	ENGINE_load_builtin_engines ();
+
+	if ((ctx->crypto_ctx->cpu_config & CPUID_RDRAND) == 0) {
+		RAND_set_rand_engine (NULL);
+	}
+#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+	SSL_library_init ();
+#else
+	OPENSSL_init_ssl (0, NULL);
+#endif
 	SSL_library_init ();
 	SSL_load_error_strings ();
+	OPENSSL_config (NULL);
 
 	if (RAND_poll () == 0) {
 		guchar seed[128];