Sync

- Default TLS cipher selection, with override (thanks to Zed Jorarard).
- Updated documentation.

AUTHORS

@@ -93,6 +93,7 @@ The following submitted code, packages or analysis, and deserve special thanks:
   Aaron Bieber
   John West
   Jeroen Budts
+  Zed Jorarard
 
 Thanks to the following, who submitted detailed bug reports and excellent
 suggestions:

NEWS

@@ -27,6 +27,7 @@ New configuration options in taskwarrior 2.3.0
   - 'taskd.key' specifies the task server key for encryption.
   - 'taskd.ca' specifies the task server CA.
   - 'taskd.trust' overrides certificate checking.
+  - 'taskd.ciphers' overrides default cipher selection.
   - 'debug.tls' shows TLS log information, for debugging.
   - The configuration file supports JSON encoding of unicode characters \uNNNN.
 

doc/man/taskrc.5.in

@@ -1375,11 +1375,19 @@ using a self-signed certificate.  Optional.
 .TP
 .B taskd.trust=yes|no
 .RS
-If you do not specify a CA certificate when your task server is usㄟng a self-
+If you do not specify a CA certificate when your task server is using a self-
 signed certificate, you can override the certificate validation by setting this
 value to 'yes'.  Default is not to trust a server certificate.
 .RE
 
+.TP
+.B taskd.ciphers=NORMAL
+Override of the cipher selection.  The set of ciphers used by TLS may be
+controlled by both server and client.  There must be some overlap between
+client and server supported ciphers, or communication cannot occur.
+Default is "NORMAL".  See GnuTLS documentation for full details.
+.RE
+
 .SH "CREDITS & COPYRIGHTS"
 Copyright (C) 2006 \- 2013 P. Beckingham, F. Hernandez.
 

src/Config.cpp

@@ -301,6 +301,7 @@ std::string Config::_defaults =
   "#taskd.certificate <certificat file>\n"
   "#taskd.credentials <organization>/<name>/<password>\n"
   "#taskd.server      <server>:<port>\n"
+  "taskd.ciphers=NORMAL\n"
 	"\n"
   "# Aliases - alternate names for commands\n"
   "alias.rm=delete                                # Alias for the delete command\n"

src/TLSClient.cpp

@@ -154,6 +154,12 @@ void TLSClient::trust (bool value)
   }
 }
 
+////////////////////////////////////////////////////////////////////////////////
+void TLSClient::ciphers (const std::string& cipher_list)
+{
+  _ciphers = cipher_list;
+}
+
 ////////////////////////////////////////////////////////////////////////////////
 void TLSClient::init (
   const std::string& ca,
@@ -181,9 +187,12 @@ void TLSClient::init (
 #endif
   gnutls_init (&_session, GNUTLS_CLIENT);
 
-  // Use default priorities.
+  // Use default priorities unless overridden.
+  if (_ciphers == "")
+    _ciphers = "NORMAL";
+
   const char *err;
-  int ret = gnutls_priority_set_direct (_session, "NORMAL", &err);
+  int ret = gnutls_priority_set_direct (_session, _ciphers.c_str (), &err);
   if (ret < 0)
   {
     if (_debug && ret == GNUTLS_E_INVALID_REQUEST)

src/TLSClient.h

@@ -40,6 +40,7 @@ public:
   void limit (int);
   void debug (int);
   void trust (bool);
+  void ciphers (const std::string&);
   void init (const std::string&, const std::string&, const std::string&);
   void connect (const std::string&, const std::string&);
   void bye ();
@@ -51,6 +52,7 @@ private:
   std::string                      _ca;
   std::string                      _cert;
   std::string                      _key;
+  std::string                      _ciphers;
   gnutls_certificate_credentials_t _credentials;
   gnutls_session_t                 _session;
   int                              _socket;

src/commands/CmdDiagnostics.cpp

@@ -238,6 +238,10 @@ int CmdDiagnostics::execute (std::string& output)
       << context.config.get ("taskd.key")
       << "\n";
 
+  out << "    Ciphers: "
+      << context.config.get ("taskd.ciphers")
+      << "\n";
+
   // Get credentials, but mask out the key.
   std::string credentials = context.config.get ("taskd.credentials");
   std::string::size_type last_slash = credentials.rfind ('/');

src/commands/CmdShow.cpp

@@ -191,6 +191,7 @@ int CmdShow::execute (std::string& output)
     " taskd.server"
     " taskd.ca"
     " taskd.certificate"
+    " taskd.ciphers"
     " taskd.credentials"
     " taskd.key"
     " taskd.trust"

src/commands/CmdSync.cpp

@@ -345,6 +345,7 @@ bool CmdSync::send (
     client.debug (context.config.getInteger ("debug.tls"));
 
     client.trust (trust);
+    client.ciphers (context.config.get ("taskd.ciphers"));
     client.init (ca, certificate, key);
     client.connect (server, port);
     client.send (request.serialize () + "\n");