Allow user to set DTLS ciphers

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/cstp.c b/cstp.c
index 522141a..c4ccc99 100644 (file)
--- a/cstp.c
+++ b/cstp.c
@@ -102,7 +102,8 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
        openconnect_SSL_printf(vpninfo->https_ssl, "X-DTLS-Master-Secret: ");
        for (i = 0; i < sizeof(vpninfo->dtls_secret); i++)
                openconnect_SSL_printf(vpninfo->https_ssl, "%02X", vpninfo->dtls_secret[i]);
-       openconnect_SSL_printf(vpninfo->https_ssl, "\r\nX-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA\r\n\r\n");
+       openconnect_SSL_printf(vpninfo->https_ssl, "\r\nX-DTLS-CipherSuite: %s\r\n\r\n",
+                              vpninfo->dtls_ciphers?:"AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA");
 
        if (openconnect_SSL_gets(vpninfo->https_ssl, buf, 65536) < 0) {
                vpninfo->progress(vpninfo, PRG_ERR, "Error fetching HTTPS response\n");

diff --git a/main.c b/main.c
index e322c3d..456dea7 100644 (file)
--- a/main.c
+++ b/main.c
@@ -77,6 +77,7 @@ static struct option long_options[] = {
        {"passwd-on-stdin", 0, 0, '5'},
        {"no-passwd", 0, 0, '6'},
        {"reconnect-timeout", 1, 0, '7'},
+       {"dtls-ciphers", 1, 0, '8'},
        {NULL, 0, 0, 0},
 };
 
@@ -109,6 +110,7 @@ void usage(void)
        printf("      --cookieonly                Fetch webvpn cookie only; don't connect\n");
        printf("      --printcookie               Print webvpn cookie before connecting\n");
        printf("      --cafile=FILE               Cert file for server verification\n");
+       printf("      --dtls-ciphers=LIST         OpenSSL ciphers to support for DTLS\n");
        printf("      --no-dtls                   Disable DTLS\n");
        printf("      --no-passwd                 Disable password/SecurID authentication\n");
        printf("      --passwd-on-stdin           Read password from standard input\n");
@@ -206,6 +208,9 @@ int main(int argc, char **argv)
                case '7':
                        vpninfo->reconnect_timeout = atoi(optarg);
                        break;
+               case '8':
+                       vpninfo->dtls_ciphers = optarg;
+                       break;
                case 'C':
                        vpninfo->cookie = optarg;
                        break;

diff --git a/openconnect.8 b/openconnect.8
index 978f3c1..df36215 100644 (file)
--- a/openconnect.8
+++ b/openconnect.8
@@ -95,6 +95,10 @@ openconnect \- Connect to Cisco AnyConnect VPN
 .I FILE
 ]
 [
+.B --dtls-ciphers
+.I LIST
+]
+[
 .B --no-dtls
 ]
 [
@@ -222,6 +226,9 @@ Print webvpn cookie before connecting
 .B --cafile=FILE
 Cert file for server verification
 .TP
+.B --dtls-ciphers=LIST
+Set OpenSSL ciphers to support for DTLS
+.TP
 .B --no-dtls
 Disable DTLS
 .TP

diff --git a/openconnect.h b/openconnect.h
index d42fd8c..cc0f2ad 100644 (file)
--- a/openconnect.h
+++ b/openconnect.h
@@ -143,6 +143,7 @@ struct openconnect_info {
        char *username;
        char *password;
        int nopasswd;
+       char *dtls_ciphers;
 
        char *cookie;
        struct vpn_option *cookies;