Adjust existing tls_config_set_cipher() callers for TLS cipher group

changes - map the previous configuration to the equivalent in the new
groups. This will be revisited post release.

Discussed with beck@

diff --git a/libexec/spamd/spamd.c b/libexec/spamd/spamd.c
index 1fe86dd..e8b69af 100644 (file)
--- a/libexec/spamd/spamd.c
+++ b/libexec/spamd/spamd.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: spamd.c,v 1.142 2016/05/17 17:51:47 jca Exp $ */
+/*     $OpenBSD: spamd.c,v 1.143 2016/07/13 16:35:47 jsing Exp $       */
 
 /*
  * Copyright (c) 2015 Henning Brauer <henning@openbsd.org>
@@ -458,7 +458,7 @@ spamd_tls_init()
        tls_config_set_protocols(tlscfg, TLS_PROTOCOLS_ALL);
 
        /* might need user-specified ciphers, tls_config_set_ciphers */
-       if (tls_config_set_ciphers(tlscfg, "compat") != 0)
+       if (tls_config_set_ciphers(tlscfg, "all") != 0)
                errx(1, "failed to set tls ciphers");
 
        if (tls_config_set_cert_mem(tlscfg, pubcert, pubcertlen) == -1)

diff --git a/usr.bin/ftp/main.c b/usr.bin/ftp/main.c
index 08b657c..597d88f 100644 (file)
--- a/usr.bin/ftp/main.c
+++ b/usr.bin/ftp/main.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: main.c,v 1.108 2016/05/27 15:16:16 jsing Exp $        */
+/*     $OpenBSD: main.c,v 1.109 2016/07/13 16:35:47 jsing Exp $        */
 /*     $NetBSD: main.c,v 1.24 1997/08/18 10:20:26 lukem Exp $  */
 
 /*
@@ -201,7 +201,7 @@ main(volatile int argc, char *argv[])
                if (tls_config == NULL)
                        errx(1, "tls config failed");
                tls_config_set_protocols(tls_config, TLS_PROTOCOLS_ALL);
-               if (tls_config_set_ciphers(tls_config, "compat") != 0)
+               if (tls_config_set_ciphers(tls_config, "all") != 0)
                        errx(1, "tls set ciphers failed");
        }
 #endif /* !SMALL */

diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c
index e3f6074..72c56a6 100644 (file)
--- a/usr.bin/nc/netcat.c
+++ b/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.159 2016/07/07 14:09:44 jsing Exp $ */
+/* $OpenBSD: netcat.c,v 1.160 2016/07/13 16:35:47 jsing Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -469,7 +469,7 @@ main(int argc, char *argv[])
                        errx(1, "unable to set TLS key file %s", Kflag);
                if (TLSopt & TLS_LEGACY) {
                        tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL);
-                       tls_config_set_ciphers(tls_cfg, "legacy");
+                       tls_config_set_ciphers(tls_cfg, "all");
                }
                if (!lflag && (TLSopt & TLS_CCERT))
                        errx(1, "clientcert is only valid with -l");

diff --git a/usr.sbin/httpd/httpd.h b/usr.sbin/httpd/httpd.h
index b3a9240..aa9df94 100644 (file)
--- a/usr.sbin/httpd/httpd.h
+++ b/usr.sbin/httpd/httpd.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: httpd.h,v 1.103 2016/04/28 14:20:11 jsing Exp $       */
+/*     $OpenBSD: httpd.h,v 1.104 2016/07/13 16:35:47 jsing Exp $       */
 
 /*
  * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -52,7 +52,7 @@
 #define HTTPD_LOGVIS           VIS_NL|VIS_TAB|VIS_CSTYLE
 #define HTTPD_TLS_CERT         "/etc/ssl/server.crt"
 #define HTTPD_TLS_KEY          "/etc/ssl/private/server.key"
-#define HTTPD_TLS_CIPHERS      "HIGH:!aNULL"
+#define HTTPD_TLS_CIPHERS      "compat"
 #define HTTPD_TLS_DHE_PARAMS   "none"
 #define HTTPD_TLS_ECDHE_CURVE  "auto"
 #define FD_RESERVE             5

diff --git a/usr.sbin/ldapd/parse.y b/usr.sbin/ldapd/parse.y
index 77ba1cd..b1971bf 100644 (file)
--- a/usr.sbin/ldapd/parse.y
+++ b/usr.sbin/ldapd/parse.y
@@ -1,4 +1,4 @@
-/*     $OpenBSD: parse.y,v 1.18 2016/06/21 21:35:24 benno Exp $ */
+/*     $OpenBSD: parse.y,v 1.19 2016/07/13 16:35:47 jsing Exp $ */
 
 /*
  * Copyright (c) 2009, 2010 Martin Hedenfalk <martinh@openbsd.org>
@@ -1214,7 +1214,7 @@ load_certfile(struct ldapd_config *env, const char *name, u_int8_t flags)
                goto err;
 
        tls_config_set_protocols(s->config, TLS_PROTOCOLS_ALL);
-       if (tls_config_set_ciphers(s->config, "compat")) {
+       if (tls_config_set_ciphers(s->config, "all")) {
                log_warn("load_certfile: failed to set tls ciphers: %s",
                    tls_config_error(s->config));
                goto err;

diff --git a/usr.sbin/ntpd/constraint.c b/usr.sbin/ntpd/constraint.c
index e2df6c6..1378761 100644 (file)
--- a/usr.sbin/ntpd/constraint.c
+++ b/usr.sbin/ntpd/constraint.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: constraint.c,v 1.29 2016/06/01 16:35:58 deraadt Exp $ */
+/*     $OpenBSD: constraint.c,v 1.30 2016/07/13 16:35:47 jsing Exp $   */
 
 /*
  * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -818,7 +818,7 @@ httpsdate_init(const char *addr, const char *port, const char *hostname,
        if ((httpsdate->tls_config = tls_config_new()) == NULL)
                goto fail;
 
-       if (tls_config_set_ciphers(httpsdate->tls_config, "compat") != 0)
+       if (tls_config_set_ciphers(httpsdate->tls_config, "all") != 0)
                goto fail;
 
        if (ca == NULL || ca_len == 0)

diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c
index db8ef33..fe32f89 100644 (file)
--- a/usr.sbin/syslogd/syslogd.c
+++ b/usr.sbin/syslogd/syslogd.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: syslogd.c,v 1.209 2016/07/12 09:47:25 bluhm Exp $     */
+/*     $OpenBSD: syslogd.c,v 1.210 2016/07/13 16:35:47 jsing Exp $     */
 
 /*
  * Copyright (c) 1983, 1988, 1993, 1994
@@ -617,7 +617,7 @@ main(int argc, char *argv[])
                        logerrorx("options -c and -k must be used together");
                }
                tls_config_set_protocols(client_config, TLS_PROTOCOLS_ALL);
-               if (tls_config_set_ciphers(client_config, "compat") != 0)
+               if (tls_config_set_ciphers(client_config, "all") != 0)
                        logerror("tls set client ciphers");
        }
        if (server_config && server_ctx) {