Merge pull request #553 from orozery/custom_cipher_suite

add TLS cipher suites customization

doc/man/s3fs.1

@@ -243,6 +243,11 @@ Enable compatibility with S3-like APIs which do not support the virtual-host req
 Usually s3fs outputs of the User-Agent in "s3fs/<version> (commit hash <hash>; <using ssl library name>)" format.
 If this option is specified, s3fs suppresses the output of the User-Agent.
 .TP
+\fB\-o\fR cipher_suites
+Customize TLS cipher suite list. Expects a colon separated list of cipher suite names.
+A list of available cipher suites, depending on your TLS engine, can be found on the CURL library documentation:
+https://curl.haxx.se/docs/ssl-ciphers.html
+.TP
 \fB\-o\fR dbglevel (default="crit")
 Set the debug message level. set value as crit(critical), err(error), warn(warning), info(information) to debug level. default debug level is critical.
 If s3fs run with "-d" option, the debug level is set information.

src/common.h

@@ -158,6 +158,7 @@ extern std::string    host;
 extern std::string    bucket;
 extern std::string    mount_prefix;
 extern std::string    endpoint;
+extern std::string    cipher_suites;
 extern s3fs_log_level debug_level;
 extern const char*    s3fs_log_nest[S3FS_LOG_NEST_MAX];
 

src/curl.cpp

@@ -1616,6 +1616,9 @@ bool S3fsCurl::ResetHandle(void)
       curl_easy_setopt(hCurl, CURLOPT_DEBUGFUNCTION, S3fsCurl::CurlDebugFunc);
     }
   }
+  if(!cipher_suites.empty()) {
+    curl_easy_setopt(hCurl, CURLOPT_SSL_CIPHER_LIST, cipher_suites.c_str());
+  }
 
   S3fsCurl::curl_times[hCurl]    = time(0);
   S3fsCurl::curl_progress[hCurl] = progress_t(-1, -1);

src/s3fs.cpp

@@ -93,6 +93,7 @@ std::string service_path          = "/";
 std::string host                  = "http://s3.amazonaws.com";
 std::string bucket                = "";
 std::string endpoint              = "us-east-1";
+std::string cipher_suites         = "";
 s3fs_log_level debug_level        = S3FS_LOG_CRIT;
 const char*    s3fs_log_nest[S3FS_LOG_NEST_MAX] = {"", "  ", "    ", "      "};
 
@@ -4722,6 +4723,10 @@ static int my_fuse_opt_proc(void* data, const char* arg, int key, struct fuse_ar
       }
       return 0;
     }
+    if(0 == STR2NCMP(arg, "cipher_suites=")){
+      cipher_suites = strchr(arg, '=') + sizeof(char);
+      return 0;
+    }
     //
     // debug option for s3fs
     //

src/s3fs_util.cpp

@@ -1179,6 +1179,13 @@ void show_help (void)
     "   curldbg - put curl debug message\n"
     "        Put the debug message from libcurl when this option is specified.\n"
     "\n"
+    "   cipher_suites - customize TLS cipher suite list\n"
+    "        Customize the list of TLS cipher suites.\n"
+    "        Expects a colon separated list of cipher suite names.\n"
+    "        A list of available cipher suites, depending on your TLS engine,\n"
+    "        can be found on the CURL library documentation:\n"
+    "        https://curl.haxx.se/docs/ssl-ciphers.html\n"
+    "\n"
     "FUSE/mount Options:\n"
     "\n"
     "   Most of the generic mount options described in 'man mount' are\n"