diff -up openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/etc/openwsman.conf.orig openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/etc/openwsman.conf --- openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/etc/openwsman.conf.orig 2016-07-27 16:03:55.000000000 +0200 +++ openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/etc/openwsman.conf 2017-10-02 12:22:14.132019954 +0200 @@ -45,6 +45,10 @@ ssl_disabled_protocols = SSLv2 SSLv3 # set these to enable basic authentication against a local datbase #basic_password_file = /etc/openwsman/simple_auth.passwd +# SSL cipher list +# see 'ciphers' in the OpenSSL documentation +#ssl_cipher_list = + max_threads = 0 max_connections_per_thread = 20 #thread_stack_size=262144 diff -up openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/shttpd/shttpd.c.orig openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/shttpd/shttpd.c --- openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/shttpd/shttpd.c.orig 2017-10-02 12:26:03.160273923 +0200 +++ openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/shttpd/shttpd.c 2017-10-02 12:28:01.700405369 +0200 @@ -1472,6 +1472,7 @@ set_ssl(struct shttpd_ctx *ctx, const ch void *lib; struct ssl_func *fp; char *ssl_disabled_protocols = wsmand_options_get_ssl_disabled_protocols(); + char *ssl_cipher_list = wsmand_options_get_ssl_cipher_list(); int retval = FALSE; /* Initialize SSL crap */ @@ -1530,6 +1531,13 @@ set_ssl(struct shttpd_ctx *ctx, const ch ssl_disabled_protocols = blank_ptr + 1; } + if (ssl_cipher_list) { + int rc = SSL_CTX_set_cipher_list(CTX, ssl_cipher_list); + if (rc != 0) { + _shttpd_elog(E_LOG, NULL, "Failed to set SSL cipher list \"%s\"", ssl_cipher_list); + } + } + ctx->ssl_ctx = CTX; return (retval); diff -up openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-daemon.c.orig openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-daemon.c --- openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-daemon.c.orig 2017-10-02 12:23:24.487097973 +0200 +++ openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-daemon.c 2017-10-02 12:24:57.701201336 +0200 @@ -79,6 +79,7 @@ static char *ssl_key_file = NULL; static char *service_path = DEFAULT_SERVICE_PATH; static char *ssl_cert_file = NULL; static char *ssl_disabled_protocols = NULL; +static char *ssl_cipher_list = NULL; static char *pid_file = DEFAULT_PID_PATH; static char *uri_subscription_repository = DEFAULT_SUBSCRIPTION_REPOSITORY; static int daemon_flag = 0; @@ -178,6 +179,7 @@ int wsmand_read_config(dictionary * ini) ssl_key_file = iniparser_getstr(ini, "server:ssl_key_file"); ssl_cert_file = iniparser_getstr(ini, "server:ssl_cert_file"); ssl_disabled_protocols = iniparser_getstr(ini, "server:ssl_disabled_protocols"); + ssl_cipher_list = iniparser_getstr(ini, "server:ssl_cipher_list"); use_ipv4 = iniparser_getboolean(ini, "server:ipv4", 1); #ifdef ENABLE_IPV6 use_ipv6 = iniparser_getboolean(ini, "server:ipv6", 1); @@ -348,6 +350,11 @@ char *wsmand_options_get_ssl_disabled_pr return ssl_disabled_protocols; } +char *wsmand_options_get_ssl_cipher_list(void) +{ + return ssl_cipher_list; +} + int wsmand_options_get_digest(void) { return use_digest; diff -up openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-daemon.h.orig openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-daemon.h --- openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-daemon.h.orig 2017-10-02 12:25:06.792211418 +0200 +++ openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-daemon.h 2017-10-02 12:25:30.629237848 +0200 @@ -77,6 +77,7 @@ int wsmand_options_get_server_ssl_port(v char *wsmand_options_get_ssl_key_file(void); char *wsmand_options_get_ssl_cert_file(void); char *wsmand_options_get_ssl_disabled_protocols(void); +char *wsmand_options_get_ssl_cipher_list(void); int wsmand_options_get_digest(void); char *wsmand_options_get_digest_password_file(void); char *wsmand_options_get_basic_password_file(void);