This is an automated email from the ASF dual-hosted git repository.
bneradt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new a5beffc4f1 server.honor_cipher_order: Clarify documentation (#12416)
a5beffc4f1 is described below
commit a5beffc4f108362a33c928f15e55d770e9031521
Author: Brian Neradt <[email protected]>
AuthorDate: Mon Aug 4 14:16:09 2025 -0500
server.honor_cipher_order: Clarify documentation (#12416)
Clarify in records.yaml.en.rst that server.honor_cipher_order controls
TLS server preference for TLS groups and signature algorithms in
addition to ciphers.
This also makes use of the SSL_OP_SERVER_PREFERENCE instead of the
misleading SSL_OP_CIPHER_SERVER_PREFERENCE when available.
Fixes: #12382
---
doc/admin-guide/files/records.yaml.en.rst | 6 ++++--
src/iocore/net/SSLConfig.cc | 9 +++++++--
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/doc/admin-guide/files/records.yaml.en.rst
b/doc/admin-guide/files/records.yaml.en.rst
index 869b0a9473..7db2bc1aad 100644
--- a/doc/admin-guide/files/records.yaml.en.rst
+++ b/doc/admin-guide/files/records.yaml.en.rst
@@ -3721,8 +3721,10 @@ SSL Termination
.. ts:cv:: CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
- By default (``1``) |TS| will use the server's cipher suites preferences
instead of the client preferences.
- By disabling it (``0``) |TS| will use client's cipher suites preferences.
+ By default (``1``) |TS| will use the server's preferences for cipher
suites, supported groups, and
+ signature algorithms instead of the client preferences. By disabling it
(``0``) |TS| will use the
+ client's preferences. Note that despite the configuration name mentioning
"cipher_order", this
+ setting controls server preference for multiple aspects of TLS negotiation,
not just cipher suites.
.. ts:cv:: CONFIG proxy.config.ssl.server.prioritize_chacha INT 0
diff --git a/src/iocore/net/SSLConfig.cc b/src/iocore/net/SSLConfig.cc
index 144f276195..78938c2728 100644
--- a/src/iocore/net/SSLConfig.cc
+++ b/src/iocore/net/SSLConfig.cc
@@ -457,12 +457,17 @@ SSLConfigParams::initialize()
ats_free(clientALPNProtocols);
}
-#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+#if defined(SSL_OP_SERVER_PREFERENCE) ||
defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
option =
RecGetRecordInt("proxy.config.ssl.server.honor_cipher_order").value_or(0);
if (option) {
+ // Prefer the newer, more accurately named flag when available.
+#ifdef SSL_OP_SERVER_PREFERENCE
+ ssl_ctx_options |= SSL_OP_SERVER_PREFERENCE;
+#else
ssl_ctx_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
- }
#endif
+ }
+#endif // defined(SSL_OP_SERVER_PREFERENCE) ||
defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
#ifdef SSL_OP_PRIORITIZE_CHACHA
option =
RecGetRecordInt("proxy.config.ssl.server.prioritize_chacha").value_or(0);
