|
36 | 36 | #define CFG_TACK_PIN_ACTIVATION "tack-pin-activation" |
37 | 37 | #endif /* ENABLE_TACK */ |
38 | 38 | #define CFG_PREFER_SERVER_CIPHERS "prefer-server-ciphers" |
| 39 | +#define CFG_PEER_CRT_VRFY_DPTH "peer-cert-verify" |
39 | 40 | #define CFG_BACKEND "backend" |
40 | 41 | #define CFG_FRONTEND "frontend" |
41 | 42 | #define CFG_WORKERS "workers" |
@@ -162,6 +163,7 @@ stud_config * config_new (void) { |
162 | 163 | r->TCP_KEEPALIVE_TIME = 3600; |
163 | 164 | r->DAEMONIZE = 0; |
164 | 165 | r->PREFER_SERVER_CIPHERS = 0; |
| 166 | + r->PEER_CRT_VRFY_DPTH = 0; |
165 | 167 | r->MAXFDS = -1; |
166 | 168 |
|
167 | 169 | return r; |
@@ -598,6 +600,9 @@ void config_param_validate (char *k, char *v, stud_config *cfg, char *file, int |
598 | 600 | else if (strcmp(k, CFG_TACK_PIN_ACTIVATION) == 0) { |
599 | 601 | r = config_param_val_bool(v, &cfg->TACK_PIN_ACTIVATION); |
600 | 602 | } |
| 603 | + else if (strcmp(k, CFG_PEER_CRT_VRFY_DPTH) == 0) { |
| 604 | + r = config_param_val_int(v, &cfg->PEER_CRT_VRFY_DPTH); |
| 605 | + } |
601 | 606 | #endif /* ENABLE_TACK */ |
602 | 607 | else if (strcmp(k, CFG_SSL_ENGINE) == 0) { |
603 | 608 | if (v != NULL && strlen(v) > 0) { |
@@ -924,6 +929,8 @@ void config_print_usage_fd (char *prog, stud_config *cfg, FILE *out) { |
924 | 929 | fprintf(out, " -c --ciphers=SUITE Sets allowed ciphers (Default: \"%s\")\n", config_disp_str(cfg->CIPHER_SUITE)); |
925 | 930 | fprintf(out, " -e --ssl-engine=NAME Sets OpenSSL engine (Default: \"%s\")\n", config_disp_str(cfg->ENGINE)); |
926 | 931 | fprintf(out, " -O --prefer-server-ciphers Prefer server list order\n"); |
| 932 | + fprintf(out, " -p --peer-cert-verify=DEPTH\n"); |
| 933 | + fprintf(out, " Require & verify peer certificates (Default: \"%d\")\n", cfg->PEER_CRT_VRFY_DPTH); |
927 | 934 | #ifdef ENABLE_TACK |
928 | 935 | fprintf(out, " -T --tack-file=FILE Load TACK data from specified file.\n"); |
929 | 936 | fprintf(out, " -S --tack-break-sigs-file=FILE Load TACK break sigs from specified file.\n"); |
@@ -1045,6 +1052,12 @@ void config_print_default (FILE *fd, stud_config *cfg) { |
1045 | 1052 | fprintf(fd, FMT_STR, CFG_PREFER_SERVER_CIPHERS, config_disp_bool(cfg->PREFER_SERVER_CIPHERS)); |
1046 | 1053 | fprintf(fd, "\n"); |
1047 | 1054 |
|
| 1055 | + fprintf(fd, "# Require peer to send a valid certificate and verify to this depth\n"); |
| 1056 | + fprintf(fd, "#\n"); |
| 1057 | + fprintf(fd, "# type: integer\n"); |
| 1058 | + fprintf(fd, FMT_ISTR, CFG_PEER_CRT_VRFY_DPTH, cfg->PEER_CRT_VRFY_DPTH); |
| 1059 | + fprintf(fd, "\n"); |
| 1060 | + |
1048 | 1061 | fprintf(fd, "# Use specified SSL engine\n"); |
1049 | 1062 | fprintf(fd, "#\n"); |
1050 | 1063 | fprintf(fd, "# type: string\n"); |
@@ -1211,6 +1224,7 @@ void config_parse_cli(int argc, char **argv, stud_config *cfg) { |
1211 | 1224 | { "client", 0, &client, 1}, |
1212 | 1225 | { CFG_CIPHERS, 1, NULL, 'c' }, |
1213 | 1226 | { CFG_PREFER_SERVER_CIPHERS, 0, NULL, 'O' }, |
| 1227 | + { CFG_PEER_CRT_VRFY_DPTH, 1, NULL, 'p' }, |
1214 | 1228 | #ifdef ENABLE_TACK |
1215 | 1229 | { CFG_TACK_FILE, 1, NULL, 'T'}, |
1216 | 1230 | { CFG_TACK_BREAK_SIGS_FILE, 1, NULL, 'S'}, |
@@ -1249,7 +1263,7 @@ void config_parse_cli(int argc, char **argv, stud_config *cfg) { |
1249 | 1263 | int option_index = 0; |
1250 | 1264 | c = getopt_long( |
1251 | 1265 | argc, argv, |
1252 | | - "c:e:Ob:f:n:B:C:T:S:pU:P:M:k:r:u:g:qstVh", |
| 1266 | + "c:e:Op:b:f:n:B:C:T:S:pU:P:M:k:r:u:g:qstVh", |
1253 | 1267 | long_options, &option_index |
1254 | 1268 | ); |
1255 | 1269 |
|
@@ -1295,6 +1309,9 @@ void config_parse_cli(int argc, char **argv, stud_config *cfg) { |
1295 | 1309 | case 'O': |
1296 | 1310 | config_param_validate(CFG_PREFER_SERVER_CIPHERS, CFG_BOOL_ON, cfg, NULL, 0); |
1297 | 1311 | break; |
| 1312 | + case 'p': |
| 1313 | + config_param_validate(CFG_PEER_CRT_VRFY_DPTH, optarg, cfg, NULL, 0); |
| 1314 | + break; |
1298 | 1315 | case 'b': |
1299 | 1316 | config_param_validate(CFG_BACKEND, optarg, cfg, NULL, 0); |
1300 | 1317 | break; |
|
0 commit comments