commit - 8696c5ea2484893ba0422d9bd4732d15d24eb1fc
commit + 5bc3c98ed4e25bc68a72dd6cd6676b25d2cdf9cd
blob - 90245b9efa7f2b9c2e0d02920a02aae4d19acc04
blob + f45d772143cbadddfb0d996d7d75565eb6b1eeb4
--- ChangeLog
+++ ChangeLog
2021-01-15 Omar Polo <op@omarpolo.com>
+ * parse.y (option): add ability to specify the tls versions with "protocols"
+
* gmid.c (handle_open_conn): ensure the port number of the request matches
* sandbox.c (sandbox): sandbox on OpenBSD (pledge/unveil, as before) and on FreeBSD (capsicum) too
blob - ded80cd7aa095023887dab21ea47446f1e43f227
blob + a648ad94118302b1d8f3743ce04f39c507c84b61
--- gmid.c
+++ gmid.c
conf.foreground = 1;
conf.port = 1965;
conf.ipv6 = 0;
+ conf.protos = TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3;
connected_clients = 0;
tls_config_verify_client_optional(tlsconf);
tls_config_insecure_noverifycert(tlsconf);
- if (tls_config_set_protocols(tlsconf,
- TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3) == -1)
+ if (tls_config_set_protocols(tlsconf, conf.protos) == -1)
err(1, "tls_config_set_protocols");
load_vhosts(tlsconf);
blob - 9ef38a46788c3d80b8012d805bfcdf167551f5ec
blob + 78187876a2995de208d517cf0236249f79c5cfef
--- gmid.h
+++ gmid.h
int foreground;
int port;
int ipv6;
+ uint32_t protos;
};
extern struct conf conf;
blob - 083c4409990aaa2c9968d4ba869d29e56870cfb5
blob + 4b6cf8861dd89228e331af3446359bb2f581044e
--- lex.l
+++ lex.l
daemon return TDAEMON;
ipv6 return TIPV6;
port return TPORT;
+protocols return TPROTOCOLS;
server return TSERVER;
cert return TCERT;
blob - 9e6b63a900c2e6992e6b3e5ac860ac1433014927
blob + f4a21cf807184951e8422a78960ed5922a378350
--- parse.y
+++ parse.y
}
%token TBOOL TSTRING TNUM
-%token TDAEMON TIPV6 TPORT TSERVER
+%token TDAEMON TIPV6 TPORT TPROTOCOLS TSERVER
%token TCERT TKEY TROOT TCGI
%token TERR
option : TDAEMON TBOOL { conf.foreground = !$2; }
| TIPV6 TBOOL { conf.ipv6 = $2; }
| TPORT TNUM { conf.port = $2; }
+ | TPROTOCOLS TSTRING {
+ if (tls_config_parse_protocols(&conf.protos, $2) == -1)
+ errx(1, "invalid protocols string \"%s\"", $2);
+ }
;
vhosts : /* empty */
blob - 86252da98982b5328affa3f8ed64b1c8d0ea5dcd
blob + 646b930168fa41fca9b3e967f88e8857586b01a4
--- sample.conf
+++ sample.conf
ipv6 on # enable ipv6
daemon on # enable daemon mode
+# decomment to allow only TLSv1.3
+#protocols "tlsv1.3"
+
# server block example
server "example.com" {
cert "/path/to/cert.pem"