Make the cipher list configurable for TLS streams

fixes #11063

Signed-off-by: Gunnar Beutner <gunnar.beutner@netways.de>

doc/6-object-types.md

@@ -50,6 +50,7 @@ Configuration Attributes:
   bind\_port                |**Optional.** The port the api listener should be bound to. Defaults to `5665`.
   accept\_config            |**Optional.** Accept zone configuration. Defaults to `false`.
   accept\_commands          |**Optional.** Accept remote commands. Defaults to `false`.
+  cipher\_list		    |**Optional.** Cipher list that is allowed.
 
 ## <a id="objecttype-apiuser"></a> ApiUser
 

lib/base/tlsutility.cpp

@@ -158,6 +158,29 @@ boost::shared_ptr<SSL_CTX> MakeSSLContext(const String& pubkey, const String& pr
 	return sslContext;
 }
 
+/**
+ * Set the cipher list to the specified SSL context.
+ * @param context The ssl context.
+ * @param cipherList The ciper list.
+ **/
+void SetCipherListToSSLContext(const boost::shared_ptr<SSL_CTX>& context, const String& cipherList)
+{
+	char errbuf[256];
+
+	if (SSL_CTX_set_cipher_list(context.get(), cipherList.CStr()) == 0) {
+		Log(LogCritical, "SSL")
+		    << "Error with cipher list '"
+		    << cipherList
+		    << "' results in no availabe ciphers: "
+		    << ERR_peek_error() << ", \""
+		    << ERR_error_string(ERR_peek_error(), errbuf) << "\"";
+
+		BOOST_THROW_EXCEPTION(openssl_error()
+		    << boost::errinfo_api_function("SSL_CTX_set_cipher_list")
+		    << errinfo_openssl_error(ERR_peek_error()));
+	}
+}
+
 /**
  * Loads a CRL and appends its certificates to the specified SSL context.
  *

lib/base/tlsutility.hpp

@@ -40,6 +40,7 @@ namespace icinga
 void I2_BASE_API InitializeOpenSSL(void);
 boost::shared_ptr<SSL_CTX> I2_BASE_API MakeSSLContext(const String& pubkey = String(), const String& privkey = String(), const String& cakey = String());
 void I2_BASE_API AddCRLToSSLContext(const boost::shared_ptr<SSL_CTX>& context, const String& crlPath);
+void I2_BASE_API SetCipherListToSSLContext(const boost::shared_ptr<SSL_CTX>& context, const String& cipherList);
 String I2_BASE_API GetCertificateCN(const boost::shared_ptr<X509>& certificate);
 boost::shared_ptr<X509> I2_BASE_API GetX509Certificate(const String& pemfile);
 int I2_BASE_API MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile = String(), const String& certfile = String(), const String& serialFile = String(), bool ca = false);

lib/remote/apilistener.cpp

@@ -95,6 +95,15 @@ void ApiListener::OnConfigLoaded(void)
 			    + GetCrlPath() + "'.", GetDebugInfo()));
 		}
 	}
+
+	if (!GetCipherList().IsEmpty()) {
+		try {
+			SetCipherListToSSLContext(m_SSLContext, GetCipherList());
+		} catch (const std::exception&) {
+			BOOST_THROW_EXCEPTION(ScriptError("Cannot set cipher list to SSL context for cipher list: '"
+			    + GetCipherList() + "'.", GetDebugInfo()));
+		}
+	}
 }
 
 void ApiListener::OnAllConfigLoaded(void)

lib/remote/apilistener.ti

@@ -32,6 +32,9 @@ class ApiListener : ConfigObject
 	[config, required] String key_path;
 	[config, required] String ca_path;
 	[config] String crl_path;
+	[config] String cipher_list {
+		default {{{ return "ALL:!LOW:!WEAK:!MEDIUM:!EXP:!NULL"; }}}
+	};
 
 	[config] String bind_host;
 	[config] String bind_port {