Very basic patch to turn on server cipher preference in libtls. This
will allow us to always use our cipher preference over what the client
thinks is best. Tested with httpd as the server and openssl as the
client with two ciphers selected.
Should we make this a configurable option (possibly on by default)?
Index: lib/libtls/tls_server.c
===================================================================
RCS file: /cvs/src/lib/libtls/tls_server.c,v
retrieving revision 1.7
diff -u -p -r1.7 tls_server.c
--- lib/libtls/tls_server.c 31 Mar 2015 14:03:38 -0000 1.7
+++ lib/libtls/tls_server.c 15 May 2015 04:12:43 -0000
@@ -81,6 +81,8 @@ tls_configure_server(struct tls *ctx)
EC_KEY_free(ecdh_key);
}
+ SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+
/*
* Set session ID context to a random value. We don't support
* persistent caching of sessions so it is OK to set a temporary
