git: 2c59ffb05729 - stable/13 - rpc.tlsservd: Modify the -C option to use SSL_CTX_set_ciphersuites

From: Rick Macklem <rmacklem_at_FreeBSD.org>
Date: Sun, 05 Jun 2022 00:46:49 UTC
The branch stable/13 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=2c59ffb05729332e9b64545dd8a21e1c3bd0e690

commit 2c59ffb05729332e9b64545dd8a21e1c3bd0e690
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2022-05-22 20:44:31 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2022-06-05 00:45:31 +0000

    rpc.tlsservd: Modify the -C option to use SSL_CTX_set_ciphersuites
    
    Commit 0b4f2ab0e913 fixes the krpc so that it can use TLS
    version 1.3 for NFS-over-TLS, as required by
    the draft (someday to be an RFC).
    This patch replaces SSL_CTX_set_cipher_list() with
    SSL_CTX_set_ciphersuites(), since that is the function
    that is used for TLS1.3.
    
    (cherry picked from commit 8d098deda3786b223e44ad1bed923a6d66dfa341)
---
 usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
index 96f3c06a5c2e..206a1f4fd3bd 100644
--- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
+++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
@@ -238,6 +238,7 @@ main(int argc, char **argv)
 			break;
 		default:
 			fprintf(stderr, "usage: %s "
+			    "[-C/--ciphers available_ciphers] "
 			    "[-D/--certdir certdir] [-d/--debuglevel] "
 			    "[-h/--checkhost] "
 			    "[-l/--verifylocs CAfile] [-m/--mutualverf] "
@@ -571,14 +572,14 @@ rpctls_setup_ssl(const char *certdir)
 
 	if (rpctls_ciphers != NULL) {
 		/*
-		 * Set preferred ciphers, since KERN_TLS only supports a
+		 * Set available ciphers, since KERN_TLS only supports a
 		 * few of them.  Normally, not doing this should be ok,
 		 * since the library defaults will work.
 		 */
-		ret = SSL_CTX_set_cipher_list(ctx, rpctls_ciphers);
+		ret = SSL_CTX_set_ciphersuites(ctx, rpctls_ciphers);
 		if (ret == 0) {
 			rpctls_verbose_out("rpctls_setup_ssl: "
-			    "SSL_CTX_set_cipher_list failed: %s\n",
+			    "SSL_CTX_set_ciphersuites failed: %s\n",
 			    rpctls_ciphers);
 			SSL_CTX_free(ctx);
 			return (NULL);