Allow user to specify SSL ciphersuite choices

Fixes #19
2025-12-06 12:41:29 +00:00 · 2014-12-11 19:07:04 +00:00
parent e81f9fba12
commit 2353d5a913
4 changed files with 16 additions and 1 deletions
--- a/ncat/ncat_core.c
+++ b/ncat/ncat_core.c
@@ -206,6 +206,7 @@ void options_init(void)
    o.sslkey = NULL;
    o.sslverify = 0;
    o.ssltrustfile = NULL;
+    o.sslciphers = NULL;
 #endif
 }

--- a/ncat/ncat_core.h
+++ b/ncat/ncat_core.h
@@ -200,6 +200,7 @@ struct options {
    char *sslkey;
    int sslverify;
    char *ssltrustfile;
+    char *sslciphers;
 };

 extern struct options o;
--- a/ncat/ncat_main.c
+++ b/ncat/ncat_main.c
@@ -311,11 +311,13 @@ int main(int argc, char *argv[])
        {"ssl-key",         required_argument,  NULL,         0},
        {"ssl-verify",      no_argument,        NULL,         0},
        {"ssl-trustfile",   required_argument,  NULL,         0},
+        {"ssl-ciphers",     required_argument,  NULL,         0},
 #else
        {"ssl-cert",        optional_argument,  NULL,         0},
        {"ssl-key",         optional_argument,  NULL,         0},
        {"ssl-verify",      no_argument,        NULL,         0},
        {"ssl-trustfile",   optional_argument,  NULL,         0},
+        {"ssl-ciphers",     optional_argument,  NULL,         0},
 #endif
        {0, 0, 0, 0}
    };
@@ -517,6 +519,9 @@ int main(int argc, char *argv[])
                /* If they list a trustfile assume they want certificate
                   verification. */
                o.sslverify = 1;
+            } else if (strcmp(long_options[option_index].name, "ssl-ciphers") == 0) {
+                o.ssl = 1;
+                o.sslciphers = Strdup(optarg);
            }
 #else
            else if (strcmp(long_options[option_index].name, "ssl-cert") == 0) {
@@ -527,6 +532,8 @@ int main(int argc, char *argv[])
                bye("OpenSSL isn't compiled in. The --ssl-verify option cannot be chosen.");
            } else if (strcmp(long_options[option_index].name, "ssl-trustfile") == 0) {
                bye("OpenSSL isn't compiled in. The --ssl-trustfile option cannot be chosen.");
+            } else if (strcmp(long_options[option_index].name, "ssl-ciphers") == 0) {
+                bye("OpenSSL isn't compiled in. The --ssl-ciphers option cannot be chosen.");
            }
 #endif
 #ifdef HAVE_LUA
--- a/ncat/ncat_ssl.c
+++ b/ncat/ncat_ssl.c
@@ -177,8 +177,14 @@ SSL_CTX *setup_ssl_listen(void)
    SSL_CTX_set_options(sslctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);

    /* Secure ciphers list taken from Nsock. */
+    if (o.sslciphers == NULL) {
      if (!SSL_CTX_set_cipher_list(sslctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"))
        bye("Unable to set OpenSSL cipher list: %s", ERR_error_string(ERR_get_error(), NULL));
+    }
+    else {
+      if (!SSL_CTX_set_cipher_list(sslctx, o.sslciphers))
+        bye("Unable to set OpenSSL cipher list: %s", ERR_error_string(ERR_get_error(), NULL));
+    }

    if (o.sslcert == NULL && o.sslkey == NULL) {
        X509 *cert;