@@ -448,6 +448,18 @@ channel_op_res_t channel_set_options(channel_t *this,
}
}
+ /*
+ * Check if there is a restricted list of ciphers to be used
+ */
+ if (channel_data->ciphers) {
+ if (curl_easy_setopt(channel_curl->handle,
+ CURLOPT_SSL_CIPHER_LIST,
+ channel_data->ciphers) != CURLE_OK) {
+ result = CHANNEL_EINIT;
+ goto cleanup;
+ }
+ }
+
if (channel_data->header != NULL) {
if (((channel_curl->header = curl_slist_append(
channel_curl->header, channel_data->header)) == NULL)) {
@@ -109,6 +109,9 @@ identify : (
# Hawkbit security token
# proxy : string
# in case the server is reached via a proxy
+# ciphers : string in the format used by CURL to set the allowed ciphers suite
+# This allows to disable some ciphers, for example
+# ciphers = "!eNULL:!aNULL:!EXP:!LOW:!MEDIUM:!ADH:!AECDH:!IDEA:!SEED:!MD5:!SHA:!RC4:HIGH+EECDH:HIGH+EDH";
suricatta :
{
@@ -39,6 +39,7 @@ typedef struct {
char *cafile;
char *sslkey;
char *sslcert;
+ char *ciphers;
char *proxy;
char *info;
char *header;
@@ -1515,6 +1515,9 @@ static int suricatta_settings(void *elem, void __attribute__ ((__unused__)) *da
GET_FIELD_STRING_RESET(LIBCFG_PARSER, elem, "sslkey", tmp);
if (strlen(tmp))
SETSTRING(channel_data_defaults.sslkey, tmp);
+ GET_FIELD_STRING_RESET(LIBCFG_PARSER, elem, "ciphers", tmp);
+ if (strlen(tmp))
+ SETSTRING(channel_data_defaults.ciphers, tmp);
GET_FIELD_STRING_RESET(LIBCFG_PARSER, elem, "sslcert", tmp);
if (strlen(tmp))
SETSTRING(channel_data_defaults.sslcert, tmp);
As default, curl accepts all implemented ciphers. It is possible to use a restricted list of ciphers to drop ciphers that are not considered safe enough. This adds an entry in the configuration file to set a string with a list of ciphers as they are accepted by in CURLOPT_SSL_CIPHER_LIST option. Signed-off-by: Stefano Babic <sbabic@denx.de> --- corelib/channel_curl.c | 12 ++++++++++++ examples/configuration/swupdate.cfg | 3 +++ include/channel_curl.h | 1 + suricatta/server_hawkbit.c | 3 +++ 4 files changed, 19 insertions(+)