From 68086656e9a5e9ebf88a5604b116568cae66975f Mon Sep 17 00:00:00 2001
From: Lukas Zeller <luz@plan44.ch>
Date: Thu, 7 Mar 2024 18:57:41 +0100
Subject: [PATCH] Add `tls_ciphers` option to allow specifiying custom ciphers
 list This is needed in particular when running pagekite.py on debian >=11
 where the cipherlist must be set to `DEFAULT@SECLEVEL=1` to allow current (at
 the time of writing this) libpagekite embedded backends to connect, as these
 use TLSv1 even on platforms which do support TLSv2 and later.

---
 pagekite/manual.py | 11 ++++++++++-
 pagekite/pk.py     |  7 +++++--
 pagekite_gtk.py    |  1 +
 3 files changed, 16 insertions(+), 3 deletions(-)
 create mode 120000 pagekite_gtk.py

diff --git a/pagekite/manual.py b/pagekite/manual.py
index 24a64d25..27a1edd5 100755
--- a/pagekite/manual.py
+++ b/pagekite/manual.py
@@ -337,6 +337,15 @@
             Default name to use for SSL, if SNI (Server Name Indication)
             is missing from incoming HTTPS connections.
 
+    --tls_ciphers</b>=<a>cipher list</a> __
+            List of ciphers to use for front end server TLS sockets.
+            For example, Debian 11 and later may need <tt>DEFAULT@SECLEVEL=1</tt>
+            in order to allow TLSv1 connections from older embedded
+            backends. Make sure you know what you are doing when using this!
+
+    --tls_legacy   __Allow legacy TLS for front end servers.
+            Make sure you know what you are doing when using this!
+
     --tls_endpoint</b>=<a>name</a>:<a>/path/to/file</a> __
             Terminate SSL/TLS for a name using key/cert from a file.
 
@@ -355,7 +364,7 @@
     --savefile</b>=<a>/path/to/file</a> __
             Saved settings will be written to this file.
 
-    --save          __Save the current configuration to the savefile.
+    --save         __Save the current configuration to the savefile.
 
     --settings</b> __
             Dump the current settings to STDOUT, formatted as a configuration
diff --git a/pagekite/pk.py b/pagekite/pk.py
index 938bf03a..b85e1c91 100755
--- a/pagekite/pk.py
+++ b/pagekite/pk.py
@@ -91,7 +91,7 @@
             'auththreads=', 'authdomain=', 'authfail_closed',
             'motd=', 'register=', 'host=', 'noupgradeinfo', 'upgradeinfo=',
             'ports=', 'protos=', 'portalias=', 'rawports=',
-            'tls_legacy', 'tls_default=', 'tls_endpoint=', 'selfsign',
+            'tls_legacy', 'tls_ciphers=', 'tls_default=', 'tls_endpoint=', 'selfsign',
             'fe_certname=', 'fe_nocertcheck', 'ca_certs=',
             'kitename=', 'kitesecret=',
             'backend=', 'define_backend=', 'be_config=',
@@ -1080,6 +1080,7 @@ def ResetConfiguration(self):
 
     self.tls_legacy = False
     self.tls_default = None
+    self.tls_ciphers = None
     self.tls_endpoints = {}
     self.fe_certname = []
     #
@@ -1555,6 +1556,7 @@ def addManualFrontends():
         config.append('# tls_endpoint = DOMAIN:PEM_FILE')
       config.extend([
         p('tls_default = %s', self.tls_default, 'DOMAIN'),
+        p('tls_ciphers = %s', self.tls_ciphers, ''),
         p('tls_legacy = %s', self.tls_legacy, False),
         '',
       ])
@@ -2371,10 +2373,11 @@ def Configure(self, argv):
         self.ui_paths[host] = hosti
 
       elif opt == '--tls_default': self.tls_default = arg
+      elif opt == '--tls_ciphers': self.tls_ciphers = arg
       elif opt == '--tls_legacy': self.tls_legacy = True
       elif opt == '--tls_endpoint':
         name, pemfile = arg.split(':', 1)
-        ctx = socks.MakeBestEffortSSLContext(legacy=self.tls_legacy)
+        ctx = socks.MakeBestEffortSSLContext(legacy=self.tls_legacy, ciphers=self.tls_ciphers)
         ctx.use_privatekey_file(pemfile)
         ctx.use_certificate_chain_file(pemfile)
         self.tls_endpoints[name] = (pemfile, ctx)
diff --git a/pagekite_gtk.py b/pagekite_gtk.py
new file mode 120000
index 00000000..ffb68aa3
--- /dev/null
+++ b/pagekite_gtk.py
@@ -0,0 +1 @@
+scripts/pagekite_gtk
\ No newline at end of file