summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2015-02-22 14:55:42 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2015-02-22 14:55:42 +0000
commit322a1df0f271d3355186ec15e994a8a878ccb30e (patch)
tree775a7ae008b3ab6792bd09e906004a7e975cf312
parentae65412c26bdc7b50f00739529d3d98fefc6e07a (diff)
Set the TLS ciphers to "compat" mode, restoring the previous behaviour.
-rw-r--r--libexec/spamd/spamd.c7
-rw-r--r--usr.bin/ftp/main.c9
-rw-r--r--usr.sbin/ntpd/constraint.c5
-rw-r--r--usr.sbin/syslogd/syslogd.c7
4 files changed, 19 insertions, 9 deletions
diff --git a/libexec/spamd/spamd.c b/libexec/spamd/spamd.c
index 1b0e185808a..a993a8dbb16 100644
--- a/libexec/spamd/spamd.c
+++ b/libexec/spamd/spamd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: spamd.c,v 1.124 2015/02/12 04:23:17 jsing Exp $ */
+/* $OpenBSD: spamd.c,v 1.125 2015/02/22 14:55:40 jsing Exp $ */
/*
* Copyright (c) 2015 Henning Brauer <henning@openbsd.org>
@@ -440,10 +440,13 @@ spamd_tls_init(char *keyfile, char *certfile)
errx(1, "failed to get tls config");
if ((tlsctx = tls_server()) == NULL)
errx(1, "failed to get tls server");
- /* might need user-specified ciphers, tls_config_set_ciphers */
tls_config_set_protocols(tlscfg, TLS_PROTOCOLS_ALL);
+ /* might need user-specified ciphers, tls_config_set_ciphers */
+ if (tls_config_set_ciphers(tlscfg, "compat") != 0)
+ errx(1, "failed to set tls ciphers");
+
if (tls_config_set_cert_file(tlscfg, certfile) != 0)
err(1, "could not load certificate %s", certfile);
if (tls_config_set_key_file(tlscfg, keyfile) != 0)
diff --git a/usr.bin/ftp/main.c b/usr.bin/ftp/main.c
index aa3e32ce663..b6614ef03cd 100644
--- a/usr.bin/ftp/main.c
+++ b/usr.bin/ftp/main.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: main.c,v 1.100 2015/02/17 22:39:32 tedu Exp $ */
+/* $OpenBSD: main.c,v 1.101 2015/02/22 14:55:41 jsing Exp $ */
/* $NetBSD: main.c,v 1.24 1997/08/18 10:20:26 lukem Exp $ */
/*
@@ -202,11 +202,12 @@ main(volatile int argc, char *argv[])
tls_config = tls_config_new();
if (tls_config == NULL)
errx(1, "tls config failed");
- tls_config_set_protocols(tls_config,
- TLS_PROTOCOLS_ALL);
+ tls_config_set_protocols(tls_config, TLS_PROTOCOLS_ALL);
+ if (tls_config_set_ciphers(tls_config, "compat") != 0)
+ errx(1, "tls set ciphers failed");
}
-
#endif /* !SMALL */
+
httpuseragent = NULL;
while ((ch = getopt(argc, argv,
diff --git a/usr.sbin/ntpd/constraint.c b/usr.sbin/ntpd/constraint.c
index 8e0b2974f21..c9c923e0d41 100644
--- a/usr.sbin/ntpd/constraint.c
+++ b/usr.sbin/ntpd/constraint.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: constraint.c,v 1.4 2015/02/12 01:54:57 reyk Exp $ */
+/* $OpenBSD: constraint.c,v 1.5 2015/02/22 14:55:41 jsing Exp $ */
/*
* Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -595,6 +595,9 @@ httpsdate_init(const char *hname, const char *port, const char *name,
if ((httpsdate->tls_config = tls_config_new()) == NULL)
goto fail;
+ if (tls_config_set_ciphers(httpsdate->tls_config, "compat") != 0)
+ goto fail;
+
/* XXX we have to pre-resolve, so name and host are not equal */
tls_config_insecure_noverifyhost(httpsdate->tls_config);
diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c
index d381c1402bd..cb63f8e0dc8 100644
--- a/usr.sbin/syslogd/syslogd.c
+++ b/usr.sbin/syslogd/syslogd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: syslogd.c,v 1.157 2015/02/20 00:56:32 bluhm Exp $ */
+/* $OpenBSD: syslogd.c,v 1.158 2015/02/22 14:55:41 jsing Exp $ */
/*
* Copyright (c) 1983, 1988, 1993, 1994
@@ -545,8 +545,11 @@ main(int argc, char *argv[])
free(p);
close(fd);
}
- if (tlsconfig)
+ if (tlsconfig) {
tls_config_set_protocols(tlsconfig, TLS_PROTOCOLS_ALL);
+ if (tls_config_set_ciphers(tlsconfig, "compat") != 0)
+ logerror("tls set ciphers");
+ }
dprintf("off & running....\n");