From 6b32b225106245755e9fe4543e9eb4883cbb9c2b Mon Sep 17 00:00:00 2001
From: Max <post@wickenrode.com>
Date: Sat, 21 Mar 2015 00:04:02 +0100
Subject: Allow to set SSL cipher list in SPMySQL

---
 .../Source/SPMySQLConnection Categories/Copying.m              |  1 +
 Frameworks/SPMySQLFramework/Source/SPMySQLConnection.h         | 10 ++++++++++
 Frameworks/SPMySQLFramework/Source/SPMySQLConnection.m         |  9 ++++++++-
 3 files changed, 19 insertions(+), 1 deletion(-)

(limited to 'Frameworks')

diff --git a/Frameworks/SPMySQLFramework/Source/SPMySQLConnection Categories/Copying.m b/Frameworks/SPMySQLFramework/Source/SPMySQLConnection Categories/Copying.m
index 022708b8..32efa375 100644
--- a/Frameworks/SPMySQLFramework/Source/SPMySQLConnection Categories/Copying.m	
+++ b/Frameworks/SPMySQLFramework/Source/SPMySQLConnection Categories/Copying.m	
@@ -54,6 +54,7 @@
 	[copy setSocketPath:socketPath];
 	[copy setUseSSL:useSSL];
 	[copy setSslKeyFilePath:sslKeyFilePath];
+	[copy setSslCipherList:sslCipherList];
 	[copy setSslCertificatePath:sslCertificatePath];
 	[copy setSslCACertificatePath:sslCACertificatePath];
 	[copy setTimeout:timeout];
diff --git a/Frameworks/SPMySQLFramework/Source/SPMySQLConnection.h b/Frameworks/SPMySQLFramework/Source/SPMySQLConnection.h
index 34b21043..1720fcf6 100644
--- a/Frameworks/SPMySQLFramework/Source/SPMySQLConnection.h
+++ b/Frameworks/SPMySQLFramework/Source/SPMySQLConnection.h
@@ -51,6 +51,7 @@
 	NSString *sslKeyFilePath;
 	NSString *sslCertificatePath;
 	NSString *sslCACertificatePath;
+	NSString *sslCipherList;
 
 	// MySQL connection details and state
 	struct st_mysql *mySQLConnection;
@@ -143,6 +144,15 @@
 @property (readwrite, retain) NSString *sslCertificatePath;
 @property (readwrite, retain) NSString *sslCACertificatePath;
 
+/**
+ * List of supported ciphers for SSL/TLS connections.
+ * This is a colon-separated string of names as used by
+ * `openssl ciphers`. The order of entries specifies
+ * their preference (earlier = better).
+ * A value of nil (default) means SPMySQL will use its built-in cipher list.
+ */
+@property (readwrite, retain) NSString *sslCipherList;
+
 @property (readwrite, assign) NSUInteger timeout;
 @property (readwrite, assign) BOOL useKeepAlive;
 @property (readwrite, assign) CGFloat keepAliveInterval;
diff --git a/Frameworks/SPMySQLFramework/Source/SPMySQLConnection.m b/Frameworks/SPMySQLFramework/Source/SPMySQLConnection.m
index 0d9d16ff..9fa5a9c8 100644
--- a/Frameworks/SPMySQLFramework/Source/SPMySQLConnection.m
+++ b/Frameworks/SPMySQLFramework/Source/SPMySQLConnection.m
@@ -65,6 +65,7 @@ const char *SPMySQLSSLPermissibleCiphers = "DHE-RSA-AES256-SHA:AES256-SHA:DHE-RS
 @synthesize sslKeyFilePath;
 @synthesize sslCertificatePath;
 @synthesize sslCACertificatePath;
+@synthesize sslCipherList;
 @synthesize timeout;
 @synthesize useKeepAlive;
 @synthesize keepAliveInterval;
@@ -217,6 +218,8 @@ const char *SPMySQLSSLPermissibleCiphers = "DHE-RSA-AES256-SHA:AES256-SHA:DHE-RS
 		[proxy setConnectionStateChangeSelector:NULL delegate:nil];
 		[proxy release];
 	}
+	
+	[self setSslCipherList:nil];
 
 	// Ensure the query lock is unlocked, thereafter setting to nil in case of pending calls
 	if ([connectionLock condition] != SPMySQLConnectionIdle) {
@@ -546,6 +549,7 @@ const char *SPMySQLSSLPermissibleCiphers = "DHE-RSA-AES256-SHA:AES256-SHA:DHE-RS
 		const char *theSSLKeyFilePath = NULL;
 		const char *theSSLCertificatePath = NULL;
 		const char *theCACertificatePath = NULL;
+		const char *theSSLCiphers = SPMySQLSSLPermissibleCiphers;
 
 		if (sslKeyFilePath) {
 			theSSLKeyFilePath = [[sslKeyFilePath stringByExpandingTildeInPath] UTF8String];
@@ -556,8 +560,11 @@ const char *SPMySQLSSLPermissibleCiphers = "DHE-RSA-AES256-SHA:AES256-SHA:DHE-RS
 		if (sslCACertificatePath) {
 			theCACertificatePath = [[sslCACertificatePath stringByExpandingTildeInPath] UTF8String];
 		}
+		if(sslCipherList) {
+			theSSLCiphers = [sslCipherList UTF8String];
+		}
 
-		mysql_ssl_set(theConnection, theSSLKeyFilePath, theSSLCertificatePath, theCACertificatePath, NULL, SPMySQLSSLPermissibleCiphers);
+		mysql_ssl_set(theConnection, theSSLKeyFilePath, theSSLCertificatePath, theCACertificatePath, NULL, theSSLCiphers);
 	}
 
 	MYSQL *connectionStatus = mysql_real_connect(theConnection, theHost, theUsername, thePassword, NULL, (unsigned int)port, theSocket, SPMySQLConnectionOptions);
-- 
cgit v1.2.3