commit 5bc3c98ed4e25bc68a72dd6cd6676b25d2cdf9cd
from: Omar Polo <op@omarpolo.com>
date: Fri Jan 15 18:55:05 2021 UTC

add protocols to the config

commit - 8696c5ea2484893ba0422d9bd4732d15d24eb1fc
commit + 5bc3c98ed4e25bc68a72dd6cd6676b25d2cdf9cd
blob - 90245b9efa7f2b9c2e0d02920a02aae4d19acc04
blob + f45d772143cbadddfb0d996d7d75565eb6b1eeb4
--- ChangeLog
+++ ChangeLog
@@ -1,5 +1,7 @@
 2021-01-15  Omar Polo  <op@omarpolo.com>
 
+	* parse.y (option): add ability to specify the tls versions with "protocols"
+
 	* gmid.c (handle_open_conn): ensure the port number of the request matches
 
 	* sandbox.c (sandbox): sandbox on OpenBSD (pledge/unveil, as before) and on FreeBSD (capsicum) too
blob - ded80cd7aa095023887dab21ea47446f1e43f227
blob + a648ad94118302b1d8f3743ce04f39c507c84b61
--- gmid.c
+++ gmid.c
@@ -979,6 +979,7 @@ main(int argc, char **argv)
 	conf.foreground = 1;
 	conf.port = 1965;
 	conf.ipv6 = 0;
+	conf.protos = TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3;
 
 	connected_clients = 0;
 
@@ -1067,8 +1068,7 @@ main(int argc, char **argv)
 	tls_config_verify_client_optional(tlsconf);
 	tls_config_insecure_noverifycert(tlsconf);
 
-	if (tls_config_set_protocols(tlsconf,
-	    TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3) == -1)
+	if (tls_config_set_protocols(tlsconf, conf.protos) == -1)
 		err(1, "tls_config_set_protocols");
 
 	load_vhosts(tlsconf);
blob - 9ef38a46788c3d80b8012d805bfcdf167551f5ec
blob + 78187876a2995de208d517cf0236249f79c5cfef
--- gmid.h
+++ gmid.h
@@ -68,6 +68,7 @@ struct conf {
 	int	foreground;
 	int	port;
 	int	ipv6;
+	uint32_t protos;
 };
 
 extern struct conf conf;
blob - 083c4409990aaa2c9968d4ba869d29e56870cfb5
blob + 4b6cf8861dd89228e331af3446359bb2f581044e
--- lex.l
+++ lex.l
@@ -54,6 +54,7 @@ off		yylval.num = 0; return TBOOL;
 daemon		return TDAEMON;
 ipv6		return TIPV6;
 port		return TPORT;
+protocols	return TPROTOCOLS;
 server		return TSERVER;
 
 cert		return TCERT;
blob - 9e6b63a900c2e6992e6b3e5ac860ac1433014927
blob + f4a21cf807184951e8422a78960ed5922a378350
--- parse.y
+++ parse.y
@@ -43,7 +43,7 @@ extern void yyerror(const char*);
 }
 
 %token TBOOL TSTRING TNUM
-%token TDAEMON TIPV6 TPORT TSERVER
+%token TDAEMON TIPV6 TPORT TPROTOCOLS TSERVER
 %token TCERT TKEY TROOT TCGI
 %token TERR
 
@@ -62,6 +62,10 @@ options		: /* empty */
 option		: TDAEMON TBOOL		{ conf.foreground = !$2; }
 		| TIPV6 TBOOL		{ conf.ipv6 = $2; }
 		| TPORT TNUM		{ conf.port = $2; }
+		| TPROTOCOLS TSTRING {
+			if (tls_config_parse_protocols(&conf.protos, $2) == -1)
+				errx(1, "invalid protocols string \"%s\"", $2);
+		}
 		;
 
 vhosts		: /* empty */
blob - 86252da98982b5328affa3f8ed64b1c8d0ea5dcd
blob + 646b930168fa41fca9b3e967f88e8857586b01a4
--- sample.conf
+++ sample.conf
@@ -1,6 +1,9 @@
 ipv6 on         # enable ipv6
 daemon on       # enable daemon mode
 
+# decomment to allow only TLSv1.3
+#protocols "tlsv1.3"
+
 # server block example
 server "example.com" {
 	cert "/path/to/cert.pem"