From 37993c3dad69a70b59462edc809b877a5399ab3f Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Mon, 11 Aug 2008 19:39:08 +0000
Subject: [PATCH] Allowed ciphers option

---
 miniserv.pl           | 12 ++++++++++++
 webmin/CHANGELOG      |  1 +
 webmin/change_ssl.cgi |  7 +++++++
 webmin/edit_ssl.cgi   |  4 ++++
 webmin/lang/en        |  2 ++
 5 files changed, 26 insertions(+)

diff --git a/miniserv.pl b/miniserv.pl
index 89e0bf5fa..f51b83993 100755
--- a/miniserv.pl
+++ b/miniserv.pl
@@ -3816,6 +3816,17 @@ if (!$sn) {
 local $myip = inet_ntoa((unpack_sockaddr_in($sn))[1]);
 local $ssl_ctx = $ssl_contexts{$myip} || $ssl_contexts{"*"};
 local $ssl_con = Net::SSLeay::new($ssl_ctx);
+if ($config{'ssl_cipher_list'}) {
+	# Force use of ciphers
+	eval "Net::SSLeay::set_cipher_list(
+			\$ssl_con, \$config{'ssl_cipher_list'})";
+	if ($@) {
+		print STDERR "SSL cipher $config{'ssl_cipher_list'} failed : ",
+			     "$@\n";
+		}
+	else {
+		}
+	}
 Net::SSLeay::set_fd($ssl_con, fileno($sock));
 if (!Net::SSLeay::accept($ssl_con)) {
 	print STDERR "Failed to initialize SSL connection\n";
@@ -4531,6 +4542,7 @@ local @substrings = (
                           # SymbianOS is the only distinguishing string
     "iPhone",		  # Apple iPhone KHTML browser
     "iPod",		  # iPod touch browser
+    "MobileSafari",	  # HTTP client in iPhone
     );
 foreach my $p (@prefixes) {
 	return 1 if ($agent =~ /^\Q$p\E/);
diff --git a/webmin/CHANGELOG b/webmin/CHANGELOG
index 05f1130cc..ba9b9d3d5 100644
--- a/webmin/CHANGELOG
+++ b/webmin/CHANGELOG
@@ -79,3 +79,4 @@ The default scheduled update time is now randomly selected.
 Refresh the left-side frame when installing, removing or re-categorizing modules.
 ---- Changes since 1.420 ----
 On Linux systems, the IO scheduling class and priority for Webmin Cron jobs can be set on the Advanced Options page.
+Added a field to the SSL Encryption page for setting allowed ciphers.
diff --git a/webmin/change_ssl.cgi b/webmin/change_ssl.cgi
index 0ac6eda93..f48d0c53d 100755
--- a/webmin/change_ssl.cgi
+++ b/webmin/change_ssl.cgi
@@ -20,6 +20,13 @@ else {
 	$in{'version'} =~ /^\d+$/ || &error($text{'ssl_eversion'});
 	$miniserv{'ssl_version'} = $in{'version'};
 	}
+if ($in{'cipher_list_def'}) {
+	delete($miniserv{'ssl_cipher_list'});
+	}
+else {
+	$in{'cipher_list'} =~ /^\S+$/ || &error($text{'ssl_ecipher_list'});
+	$miniserv{'ssl_cipher_list'} = $in{'cipher_list'};
+	}
 foreach $ec (split(/[\r\n]+/, $in{'extracas'})) {
 	-r $ec && !-d $ec || &error(&text('ssl_eextraca', $ec));
 	push(@extracas, $ec);
diff --git a/webmin/edit_ssl.cgi b/webmin/edit_ssl.cgi
index 0565605a6..a829442dd 100755
--- a/webmin/edit_ssl.cgi
+++ b/webmin/edit_ssl.cgi
@@ -54,6 +54,10 @@ print &ui_table_row($text{'ssl_version'},
 	&ui_opt_textbox("version", $miniserv{'ssl_version'}, 4,
 			$text{'ssl_auto'}));
 
+print &ui_table_row($text{'ssl_cipher_list'},
+	&ui_opt_textbox("cipher_list", $miniserv{'ssl_cipher_list'}, 30,
+			$text{'ssl_auto'}));
+
 print &ui_table_row($text{'ssl_extracas'},
 	&ui_textarea("extracas", join("\n",split(/\s+/, $miniserv{'extracas'})),
 		     3, 60));
diff --git a/webmin/lang/en b/webmin/lang/en
index efda5d560..5090f9385 100644
--- a/webmin/lang/en
+++ b/webmin/lang/en
@@ -333,6 +333,8 @@ ssl_addipkey=Add a new IP-specific SSL key.
 ssl_return=SSL keys
 ssl_version=SSL protocol version
 ssl_no2=Allow SSL version 2 browsers?
+ssl_cipher_list=Allowed SSL ciphers
+ssl_ecipher_list=Missing or invalid cipher list - must be like <tt>HIGH:-SSLv2:-aNULL</tt>
 ssl_auto=Detect automatically
 ssl_eversion=Missing or invalid version number
 ssl_saveheader=Upload existing key