From 2353d5a913f65fdf43c66ce6eb8cd5237e2226d4 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Thu, 11 Dec 2014 19:07:04 +0000
Subject: [PATCH] Allow user to specify SSL ciphersuite choices

Fixes #19
---
 ncat/ncat_core.c | 1 +
 ncat/ncat_core.h | 1 +
 ncat/ncat_main.c | 7 +++++++
 ncat/ncat_ssl.c  | 8 +++++++-
 4 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/ncat/ncat_core.c b/ncat/ncat_core.c
index 971531ea4..541578060 100644
--- a/ncat/ncat_core.c
+++ b/ncat/ncat_core.c
@@ -206,6 +206,7 @@ void options_init(void)
     o.sslkey = NULL;
     o.sslverify = 0;
     o.ssltrustfile = NULL;
+    o.sslciphers = NULL;
 #endif
 }
 
diff --git a/ncat/ncat_core.h b/ncat/ncat_core.h
index 76ebad9ee..065edfe90 100644
--- a/ncat/ncat_core.h
+++ b/ncat/ncat_core.h
@@ -200,6 +200,7 @@ struct options {
     char *sslkey;
     int sslverify;
     char *ssltrustfile;
+    char *sslciphers;
 };
 
 extern struct options o;
diff --git a/ncat/ncat_main.c b/ncat/ncat_main.c
index 05e8d52e2..7eecd3b9a 100644
--- a/ncat/ncat_main.c
+++ b/ncat/ncat_main.c
@@ -311,11 +311,13 @@ int main(int argc, char *argv[])
         {"ssl-key",         required_argument,  NULL,         0},
         {"ssl-verify",      no_argument,        NULL,         0},
         {"ssl-trustfile",   required_argument,  NULL,         0},
+        {"ssl-ciphers",     required_argument,  NULL,         0},
 #else
         {"ssl-cert",        optional_argument,  NULL,         0},
         {"ssl-key",         optional_argument,  NULL,         0},
         {"ssl-verify",      no_argument,        NULL,         0},
         {"ssl-trustfile",   optional_argument,  NULL,         0},
+        {"ssl-ciphers",     optional_argument,  NULL,         0},
 #endif
         {0, 0, 0, 0}
     };
@@ -517,6 +519,9 @@ int main(int argc, char *argv[])
                 /* If they list a trustfile assume they want certificate
                    verification. */
                 o.sslverify = 1;
+            } else if (strcmp(long_options[option_index].name, "ssl-ciphers") == 0) {
+                o.ssl = 1;
+                o.sslciphers = Strdup(optarg);
             }
 #else
             else if (strcmp(long_options[option_index].name, "ssl-cert") == 0) {
@@ -527,6 +532,8 @@ int main(int argc, char *argv[])
                 bye("OpenSSL isn't compiled in. The --ssl-verify option cannot be chosen.");
             } else if (strcmp(long_options[option_index].name, "ssl-trustfile") == 0) {
                 bye("OpenSSL isn't compiled in. The --ssl-trustfile option cannot be chosen.");
+            } else if (strcmp(long_options[option_index].name, "ssl-ciphers") == 0) {
+                bye("OpenSSL isn't compiled in. The --ssl-ciphers option cannot be chosen.");
             }
 #endif
 #ifdef HAVE_LUA
diff --git a/ncat/ncat_ssl.c b/ncat/ncat_ssl.c
index 74845d258..a8ecc027d 100644
--- a/ncat/ncat_ssl.c
+++ b/ncat/ncat_ssl.c
@@ -177,8 +177,14 @@ SSL_CTX *setup_ssl_listen(void)
     SSL_CTX_set_options(sslctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
 
     /* Secure ciphers list taken from Nsock. */
-    if (!SSL_CTX_set_cipher_list(sslctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"))
+    if (o.sslciphers == NULL) {
+      if (!SSL_CTX_set_cipher_list(sslctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"))
         bye("Unable to set OpenSSL cipher list: %s", ERR_error_string(ERR_get_error(), NULL));
+    }
+    else {
+      if (!SSL_CTX_set_cipher_list(sslctx, o.sslciphers))
+        bye("Unable to set OpenSSL cipher list: %s", ERR_error_string(ERR_get_error(), NULL));
+    }
 
     if (o.sslcert == NULL && o.sslkey == NULL) {
         X509 *cert;