I found the right man page and ended with this:
int options = SSL_OP_ALL
// also try to pick the same ciphers suites more often
| SSL_OP_CIPHER_SERVER_PREFERENCE
// and don't use SSLv2, even if the client wants to
| SSL_OP_NO_SSLv2
;
SSL_CTX_set_options( ctx, options );
SSL_CTX_set_cipher_list( ctx, "kEDH:HIGH:!aNULL:!MD5" );
This means: The client says what it supports, the server picks that the
_server_ likes best from the list. The server likes anything with proper
Diffie-Hellman best, and if the client supports nothing suitable, the
server will take anything openssl considers high security that client
supports.
Arnt
