From 322a1df0f271d3355186ec15e994a8a878ccb30e Mon Sep 17 00:00:00 2001 From: Joel Sing Date: Sun, 22 Feb 2015 14:55:42 +0000 Subject: Set the TLS ciphers to "compat" mode, restoring the previous behaviour. --- libexec/spamd/spamd.c | 7 +++++-- usr.bin/ftp/main.c | 9 +++++---- usr.sbin/ntpd/constraint.c | 5 ++++- usr.sbin/syslogd/syslogd.c | 7 +++++-- 4 files changed, 19 insertions(+), 9 deletions(-) diff --git a/libexec/spamd/spamd.c b/libexec/spamd/spamd.c index 1b0e185808a..a993a8dbb16 100644 --- a/libexec/spamd/spamd.c +++ b/libexec/spamd/spamd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: spamd.c,v 1.124 2015/02/12 04:23:17 jsing Exp $ */ +/* $OpenBSD: spamd.c,v 1.125 2015/02/22 14:55:40 jsing Exp $ */ /* * Copyright (c) 2015 Henning Brauer @@ -440,10 +440,13 @@ spamd_tls_init(char *keyfile, char *certfile) errx(1, "failed to get tls config"); if ((tlsctx = tls_server()) == NULL) errx(1, "failed to get tls server"); - /* might need user-specified ciphers, tls_config_set_ciphers */ tls_config_set_protocols(tlscfg, TLS_PROTOCOLS_ALL); + /* might need user-specified ciphers, tls_config_set_ciphers */ + if (tls_config_set_ciphers(tlscfg, "compat") != 0) + errx(1, "failed to set tls ciphers"); + if (tls_config_set_cert_file(tlscfg, certfile) != 0) err(1, "could not load certificate %s", certfile); if (tls_config_set_key_file(tlscfg, keyfile) != 0) diff --git a/usr.bin/ftp/main.c b/usr.bin/ftp/main.c index aa3e32ce663..b6614ef03cd 100644 --- a/usr.bin/ftp/main.c +++ b/usr.bin/ftp/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.100 2015/02/17 22:39:32 tedu Exp $ */ +/* $OpenBSD: main.c,v 1.101 2015/02/22 14:55:41 jsing Exp $ */ /* $NetBSD: main.c,v 1.24 1997/08/18 10:20:26 lukem Exp $ */ /* @@ -202,11 +202,12 @@ main(volatile int argc, char *argv[]) tls_config = tls_config_new(); if (tls_config == NULL) errx(1, "tls config failed"); - tls_config_set_protocols(tls_config, - TLS_PROTOCOLS_ALL); + tls_config_set_protocols(tls_config, TLS_PROTOCOLS_ALL); + if (tls_config_set_ciphers(tls_config, "compat") != 0) + errx(1, "tls set ciphers failed"); } - #endif /* !SMALL */ + httpuseragent = NULL; while ((ch = getopt(argc, argv, diff --git a/usr.sbin/ntpd/constraint.c b/usr.sbin/ntpd/constraint.c index 8e0b2974f21..c9c923e0d41 100644 --- a/usr.sbin/ntpd/constraint.c +++ b/usr.sbin/ntpd/constraint.c @@ -1,4 +1,4 @@ -/* $OpenBSD: constraint.c,v 1.4 2015/02/12 01:54:57 reyk Exp $ */ +/* $OpenBSD: constraint.c,v 1.5 2015/02/22 14:55:41 jsing Exp $ */ /* * Copyright (c) 2015 Reyk Floeter @@ -595,6 +595,9 @@ httpsdate_init(const char *hname, const char *port, const char *name, if ((httpsdate->tls_config = tls_config_new()) == NULL) goto fail; + if (tls_config_set_ciphers(httpsdate->tls_config, "compat") != 0) + goto fail; + /* XXX we have to pre-resolve, so name and host are not equal */ tls_config_insecure_noverifyhost(httpsdate->tls_config); diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c index d381c1402bd..cb63f8e0dc8 100644 --- a/usr.sbin/syslogd/syslogd.c +++ b/usr.sbin/syslogd/syslogd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: syslogd.c,v 1.157 2015/02/20 00:56:32 bluhm Exp $ */ +/* $OpenBSD: syslogd.c,v 1.158 2015/02/22 14:55:41 jsing Exp $ */ /* * Copyright (c) 1983, 1988, 1993, 1994 @@ -545,8 +545,11 @@ main(int argc, char *argv[]) free(p); close(fd); } - if (tlsconfig) + if (tlsconfig) { tls_config_set_protocols(tlsconfig, TLS_PROTOCOLS_ALL); + if (tls_config_set_ciphers(tlsconfig, "compat") != 0) + logerror("tls set ciphers"); + } dprintf("off & running....\n"); -- cgit v1.2.3