From 017be063f18b8676903994371040064a67e4b1e0 Mon Sep 17 00:00:00 2001 From: Joel Sing Date: Wed, 13 Jul 2016 16:35:48 +0000 Subject: Adjust existing tls_config_set_cipher() callers for TLS cipher group changes - map the previous configuration to the equivalent in the new groups. This will be revisited post release. Discussed with beck@ --- libexec/spamd/spamd.c | 4 ++-- usr.bin/ftp/main.c | 4 ++-- usr.bin/nc/netcat.c | 4 ++-- usr.sbin/httpd/httpd.h | 4 ++-- usr.sbin/ldapd/parse.y | 4 ++-- usr.sbin/ntpd/constraint.c | 4 ++-- usr.sbin/syslogd/syslogd.c | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/libexec/spamd/spamd.c b/libexec/spamd/spamd.c index 1fe86ddff71..e8b69aff19d 100644 --- a/libexec/spamd/spamd.c +++ b/libexec/spamd/spamd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: spamd.c,v 1.142 2016/05/17 17:51:47 jca Exp $ */ +/* $OpenBSD: spamd.c,v 1.143 2016/07/13 16:35:47 jsing Exp $ */ /* * Copyright (c) 2015 Henning Brauer @@ -458,7 +458,7 @@ spamd_tls_init() tls_config_set_protocols(tlscfg, TLS_PROTOCOLS_ALL); /* might need user-specified ciphers, tls_config_set_ciphers */ - if (tls_config_set_ciphers(tlscfg, "compat") != 0) + if (tls_config_set_ciphers(tlscfg, "all") != 0) errx(1, "failed to set tls ciphers"); if (tls_config_set_cert_mem(tlscfg, pubcert, pubcertlen) == -1) diff --git a/usr.bin/ftp/main.c b/usr.bin/ftp/main.c index 08b657ccf78..597d88f0371 100644 --- a/usr.bin/ftp/main.c +++ b/usr.bin/ftp/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.108 2016/05/27 15:16:16 jsing Exp $ */ +/* $OpenBSD: main.c,v 1.109 2016/07/13 16:35:47 jsing Exp $ */ /* $NetBSD: main.c,v 1.24 1997/08/18 10:20:26 lukem Exp $ */ /* @@ -201,7 +201,7 @@ main(volatile int argc, char *argv[]) if (tls_config == NULL) errx(1, "tls config failed"); tls_config_set_protocols(tls_config, TLS_PROTOCOLS_ALL); - if (tls_config_set_ciphers(tls_config, "compat") != 0) + if (tls_config_set_ciphers(tls_config, "all") != 0) errx(1, "tls set ciphers failed"); } #endif /* !SMALL */ diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c index e3f6074ab41..72c56a60d95 100644 --- a/usr.bin/nc/netcat.c +++ b/usr.bin/nc/netcat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: netcat.c,v 1.159 2016/07/07 14:09:44 jsing Exp $ */ +/* $OpenBSD: netcat.c,v 1.160 2016/07/13 16:35:47 jsing Exp $ */ /* * Copyright (c) 2001 Eric Jackson * Copyright (c) 2015 Bob Beck. All rights reserved. @@ -469,7 +469,7 @@ main(int argc, char *argv[]) errx(1, "unable to set TLS key file %s", Kflag); if (TLSopt & TLS_LEGACY) { tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL); - tls_config_set_ciphers(tls_cfg, "legacy"); + tls_config_set_ciphers(tls_cfg, "all"); } if (!lflag && (TLSopt & TLS_CCERT)) errx(1, "clientcert is only valid with -l"); diff --git a/usr.sbin/httpd/httpd.h b/usr.sbin/httpd/httpd.h index b3a9240be6d..aa9df949383 100644 --- a/usr.sbin/httpd/httpd.h +++ b/usr.sbin/httpd/httpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: httpd.h,v 1.103 2016/04/28 14:20:11 jsing Exp $ */ +/* $OpenBSD: httpd.h,v 1.104 2016/07/13 16:35:47 jsing Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter @@ -52,7 +52,7 @@ #define HTTPD_LOGVIS VIS_NL|VIS_TAB|VIS_CSTYLE #define HTTPD_TLS_CERT "/etc/ssl/server.crt" #define HTTPD_TLS_KEY "/etc/ssl/private/server.key" -#define HTTPD_TLS_CIPHERS "HIGH:!aNULL" +#define HTTPD_TLS_CIPHERS "compat" #define HTTPD_TLS_DHE_PARAMS "none" #define HTTPD_TLS_ECDHE_CURVE "auto" #define FD_RESERVE 5 diff --git a/usr.sbin/ldapd/parse.y b/usr.sbin/ldapd/parse.y index 77ba1cd71da..b1971bf3d3a 100644 --- a/usr.sbin/ldapd/parse.y +++ b/usr.sbin/ldapd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.18 2016/06/21 21:35:24 benno Exp $ */ +/* $OpenBSD: parse.y,v 1.19 2016/07/13 16:35:47 jsing Exp $ */ /* * Copyright (c) 2009, 2010 Martin Hedenfalk @@ -1214,7 +1214,7 @@ load_certfile(struct ldapd_config *env, const char *name, u_int8_t flags) goto err; tls_config_set_protocols(s->config, TLS_PROTOCOLS_ALL); - if (tls_config_set_ciphers(s->config, "compat")) { + if (tls_config_set_ciphers(s->config, "all")) { log_warn("load_certfile: failed to set tls ciphers: %s", tls_config_error(s->config)); goto err; diff --git a/usr.sbin/ntpd/constraint.c b/usr.sbin/ntpd/constraint.c index e2df6c638e2..137876121ed 100644 --- a/usr.sbin/ntpd/constraint.c +++ b/usr.sbin/ntpd/constraint.c @@ -1,4 +1,4 @@ -/* $OpenBSD: constraint.c,v 1.29 2016/06/01 16:35:58 deraadt Exp $ */ +/* $OpenBSD: constraint.c,v 1.30 2016/07/13 16:35:47 jsing Exp $ */ /* * Copyright (c) 2015 Reyk Floeter @@ -818,7 +818,7 @@ httpsdate_init(const char *addr, const char *port, const char *hostname, if ((httpsdate->tls_config = tls_config_new()) == NULL) goto fail; - if (tls_config_set_ciphers(httpsdate->tls_config, "compat") != 0) + if (tls_config_set_ciphers(httpsdate->tls_config, "all") != 0) goto fail; if (ca == NULL || ca_len == 0) diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c index db8ef33f7f1..fe32f896a64 100644 --- a/usr.sbin/syslogd/syslogd.c +++ b/usr.sbin/syslogd/syslogd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: syslogd.c,v 1.209 2016/07/12 09:47:25 bluhm Exp $ */ +/* $OpenBSD: syslogd.c,v 1.210 2016/07/13 16:35:47 jsing Exp $ */ /* * Copyright (c) 1983, 1988, 1993, 1994 @@ -617,7 +617,7 @@ main(int argc, char *argv[]) logerrorx("options -c and -k must be used together"); } tls_config_set_protocols(client_config, TLS_PROTOCOLS_ALL); - if (tls_config_set_ciphers(client_config, "compat") != 0) + if (tls_config_set_ciphers(client_config, "all") != 0) logerror("tls set client ciphers"); } if (server_config && server_ctx) { -- cgit v1.2.3