From 0b1f3db1fa16a3a722f45bb4cc7af2b4bdf95e8d Mon Sep 17 00:00:00 2001
From: jsing <jsing@openbsd.org>
Date: Wed, 13 Jul 2016 16:35:47 +0000
Subject: [PATCH] Adjust existing tls_config_set_cipher() callers for TLS
 cipher group changes - map the previous configuration to the equivalent in
 the new groups. This will be revisited post release.

Discussed with beck@
---
 libexec/spamd/spamd.c      | 4 ++--
 usr.bin/ftp/main.c         | 4 ++--
 usr.bin/nc/netcat.c        | 4 ++--
 usr.sbin/httpd/httpd.h     | 4 ++--
 usr.sbin/ldapd/parse.y     | 4 ++--
 usr.sbin/ntpd/constraint.c | 4 ++--
 usr.sbin/syslogd/syslogd.c | 4 ++--
 7 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/libexec/spamd/spamd.c b/libexec/spamd/spamd.c
index 1fe86ddff71..e8b69aff19d 100644
--- a/libexec/spamd/spamd.c
+++ b/libexec/spamd/spamd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: spamd.c,v 1.142 2016/05/17 17:51:47 jca Exp $	*/
+/*	$OpenBSD: spamd.c,v 1.143 2016/07/13 16:35:47 jsing Exp $	*/
 
 /*
  * Copyright (c) 2015 Henning Brauer <henning@openbsd.org>
@@ -458,7 +458,7 @@ spamd_tls_init()
 	tls_config_set_protocols(tlscfg, TLS_PROTOCOLS_ALL);
 
 	/* might need user-specified ciphers, tls_config_set_ciphers */
-	if (tls_config_set_ciphers(tlscfg, "compat") != 0)
+	if (tls_config_set_ciphers(tlscfg, "all") != 0)
 		errx(1, "failed to set tls ciphers");
 
 	if (tls_config_set_cert_mem(tlscfg, pubcert, pubcertlen) == -1)
diff --git a/usr.bin/ftp/main.c b/usr.bin/ftp/main.c
index 08b657ccf78..597d88f0371 100644
--- a/usr.bin/ftp/main.c
+++ b/usr.bin/ftp/main.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.108 2016/05/27 15:16:16 jsing Exp $	*/
+/*	$OpenBSD: main.c,v 1.109 2016/07/13 16:35:47 jsing Exp $	*/
 /*	$NetBSD: main.c,v 1.24 1997/08/18 10:20:26 lukem Exp $	*/
 
 /*
@@ -201,7 +201,7 @@ main(volatile int argc, char *argv[])
 		if (tls_config == NULL)
 			errx(1, "tls config failed");
 		tls_config_set_protocols(tls_config, TLS_PROTOCOLS_ALL);
-		if (tls_config_set_ciphers(tls_config, "compat") != 0)
+		if (tls_config_set_ciphers(tls_config, "all") != 0)
 			errx(1, "tls set ciphers failed");
 	}
 #endif /* !SMALL */
diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c
index e3f6074ab41..72c56a60d95 100644
--- a/usr.bin/nc/netcat.c
+++ b/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.159 2016/07/07 14:09:44 jsing Exp $ */
+/* $OpenBSD: netcat.c,v 1.160 2016/07/13 16:35:47 jsing Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -469,7 +469,7 @@ main(int argc, char *argv[])
 			errx(1, "unable to set TLS key file %s", Kflag);
 		if (TLSopt & TLS_LEGACY) {
 			tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL);
-			tls_config_set_ciphers(tls_cfg, "legacy");
+			tls_config_set_ciphers(tls_cfg, "all");
 		}
 		if (!lflag && (TLSopt & TLS_CCERT))
 			errx(1, "clientcert is only valid with -l");
diff --git a/usr.sbin/httpd/httpd.h b/usr.sbin/httpd/httpd.h
index b3a9240be6d..aa9df949383 100644
--- a/usr.sbin/httpd/httpd.h
+++ b/usr.sbin/httpd/httpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: httpd.h,v 1.103 2016/04/28 14:20:11 jsing Exp $	*/
+/*	$OpenBSD: httpd.h,v 1.104 2016/07/13 16:35:47 jsing Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -52,7 +52,7 @@
 #define HTTPD_LOGVIS		VIS_NL|VIS_TAB|VIS_CSTYLE
 #define HTTPD_TLS_CERT		"/etc/ssl/server.crt"
 #define HTTPD_TLS_KEY		"/etc/ssl/private/server.key"
-#define HTTPD_TLS_CIPHERS	"HIGH:!aNULL"
+#define HTTPD_TLS_CIPHERS	"compat"
 #define HTTPD_TLS_DHE_PARAMS	"none"
 #define HTTPD_TLS_ECDHE_CURVE	"auto"
 #define FD_RESERVE		5
diff --git a/usr.sbin/ldapd/parse.y b/usr.sbin/ldapd/parse.y
index 77ba1cd71da..b1971bf3d3a 100644
--- a/usr.sbin/ldapd/parse.y
+++ b/usr.sbin/ldapd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.18 2016/06/21 21:35:24 benno Exp $ */
+/*	$OpenBSD: parse.y,v 1.19 2016/07/13 16:35:47 jsing Exp $ */
 
 /*
  * Copyright (c) 2009, 2010 Martin Hedenfalk <martinh@openbsd.org>
@@ -1214,7 +1214,7 @@ load_certfile(struct ldapd_config *env, const char *name, u_int8_t flags)
 		goto err;
 
 	tls_config_set_protocols(s->config, TLS_PROTOCOLS_ALL);
-	if (tls_config_set_ciphers(s->config, "compat")) {
+	if (tls_config_set_ciphers(s->config, "all")) {
 		log_warn("load_certfile: failed to set tls ciphers: %s",
 		    tls_config_error(s->config));
 		goto err;
diff --git a/usr.sbin/ntpd/constraint.c b/usr.sbin/ntpd/constraint.c
index e2df6c638e2..137876121ed 100644
--- a/usr.sbin/ntpd/constraint.c
+++ b/usr.sbin/ntpd/constraint.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: constraint.c,v 1.29 2016/06/01 16:35:58 deraadt Exp $	*/
+/*	$OpenBSD: constraint.c,v 1.30 2016/07/13 16:35:47 jsing Exp $	*/
 
 /*
  * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -818,7 +818,7 @@ httpsdate_init(const char *addr, const char *port, const char *hostname,
 	if ((httpsdate->tls_config = tls_config_new()) == NULL)
 		goto fail;
 
-	if (tls_config_set_ciphers(httpsdate->tls_config, "compat") != 0)
+	if (tls_config_set_ciphers(httpsdate->tls_config, "all") != 0)
 		goto fail;
 
 	if (ca == NULL || ca_len == 0)
diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c
index db8ef33f7f1..fe32f896a64 100644
--- a/usr.sbin/syslogd/syslogd.c
+++ b/usr.sbin/syslogd/syslogd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: syslogd.c,v 1.209 2016/07/12 09:47:25 bluhm Exp $	*/
+/*	$OpenBSD: syslogd.c,v 1.210 2016/07/13 16:35:47 jsing Exp $	*/
 
 /*
  * Copyright (c) 1983, 1988, 1993, 1994
@@ -617,7 +617,7 @@ main(int argc, char *argv[])
 			logerrorx("options -c and -k must be used together");
 		}
 		tls_config_set_protocols(client_config, TLS_PROTOCOLS_ALL);
-		if (tls_config_set_ciphers(client_config, "compat") != 0)
+		if (tls_config_set_ciphers(client_config, "all") != 0)
 			logerror("tls set client ciphers");
 	}
 	if (server_config && server_ctx) {
-- 
2.20.1