bind\_port |**Optional.** The port the api listener should be bound to. Defaults to `5665`.
accept\_config |**Optional.** Accept zone configuration. Defaults to `false`.
accept\_commands |**Optional.** Accept remote commands. Defaults to `false`.
+ cipher\_list |**Optional.** Cipher list that is allowed.
## <a id="objecttype-apiuser"></a> ApiUser
return sslContext;
}
+/**
+ * Set the cipher list to the specified SSL context.
+ * @param context The ssl context.
+ * @param cipherList The ciper list.
+ **/
+void SetCipherListToSSLContext(const boost::shared_ptr<SSL_CTX>& context, const String& cipherList)
+{
+ char errbuf[256];
+
+ if (SSL_CTX_set_cipher_list(context.get(), cipherList.CStr()) == 0) {
+ Log(LogCritical, "SSL")
+ << "Error with cipher list '"
+ << cipherList
+ << "' results in no availabe ciphers: "
+ << ERR_peek_error() << ", \""
+ << ERR_error_string(ERR_peek_error(), errbuf) << "\"";
+
+ BOOST_THROW_EXCEPTION(openssl_error()
+ << boost::errinfo_api_function("SSL_CTX_set_cipher_list")
+ << errinfo_openssl_error(ERR_peek_error()));
+ }
+}
+
/**
* Loads a CRL and appends its certificates to the specified SSL context.
*
void I2_BASE_API InitializeOpenSSL(void);
boost::shared_ptr<SSL_CTX> I2_BASE_API MakeSSLContext(const String& pubkey = String(), const String& privkey = String(), const String& cakey = String());
void I2_BASE_API AddCRLToSSLContext(const boost::shared_ptr<SSL_CTX>& context, const String& crlPath);
+void I2_BASE_API SetCipherListToSSLContext(const boost::shared_ptr<SSL_CTX>& context, const String& cipherList);
String I2_BASE_API GetCertificateCN(const boost::shared_ptr<X509>& certificate);
boost::shared_ptr<X509> I2_BASE_API GetX509Certificate(const String& pemfile);
int I2_BASE_API MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile = String(), const String& certfile = String(), const String& serialFile = String(), bool ca = false);
+ GetCrlPath() + "'.", GetDebugInfo()));
}
}
+
+ if (!GetCipherList().IsEmpty()) {
+ try {
+ SetCipherListToSSLContext(m_SSLContext, GetCipherList());
+ } catch (const std::exception&) {
+ BOOST_THROW_EXCEPTION(ScriptError("Cannot set cipher list to SSL context for cipher list: '"
+ + GetCipherList() + "'.", GetDebugInfo()));
+ }
+ }
}
void ApiListener::OnAllConfigLoaded(void)
[config, required] String key_path;
[config, required] String ca_path;
[config] String crl_path;
+ [config] String cipher_list {
+ default {{{ return "ALL:!LOW:!WEAK:!MEDIUM:!EXP:!NULL"; }}}
+ };
[config] String bind_host;
[config] String bind_port {
projects / icinga2 / commitdiff