On Friday 15 May 2015, Kyle Thompson wrote:
> Very basic patch to turn on server cipher preference in libtls. This
> will allow us to always use our cipher preference over what the client
> thinks is best. Tested with httpd as the server and openssl as the
> client with two ciphers selected.
>
> Should we make this a configurable option (possibly on by default)?
Thanks - this has been on my todo list for a while. I think it needs to be a
configuration option so that it can be disabled (in possibly strange use
cases), however it should be on by default.
> Index: lib/libtls/tls_server.c
> ===================================================================
> RCS file: /cvs/src/lib/libtls/tls_server.c,v
> retrieving revision 1.7
> diff -u -p -r1.7 tls_server.c
> --- lib/libtls/tls_server.c 31 Mar 2015 14:03:38 -0000 1.7
> +++ lib/libtls/tls_server.c 15 May 2015 04:12:43 -0000
> @@ -81,6 +81,8 @@ tls_configure_server(struct tls *ctx)
> EC_KEY_free(ecdh_key);
> }
>
> + SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
> +
> /*
> * Set session ID context to a random value. We don't support
> * persistent caching of sessions so it is OK to set a temporary
--
"Action without study is fatal. Study without action is futile."
-- Mary Ritter Beard
