Re: [patch] Turn on Server Cipher Preference

Fri, 15 May 2015 11:41:14 -0700 

Here is an updated diff with some configuration added.


Index: lib/libtls/tls.h
===================================================================
RCS file: /cvs/src/lib/libtls/tls.h,v
retrieving revision 1.12
diff -u -p -r1.12 tls.h
--- lib/libtls/tls.h    31 Mar 2015 14:03:38 -0000      1.12
+++ lib/libtls/tls.h    15 May 2015 18:34:43 -0000
@@ -66,6 +66,9 @@ void tls_config_insecure_noverifycert(st
 void tls_config_insecure_noverifyname(struct tls_config *_config);
 void tls_config_verify(struct tls_config *_config);
 
+void tls_config_prefer_server_ciphers(struct tls_config *_config);
+void tls_config_prefer_client_ciphers(struct tls_config *_config);
+
 struct tls *tls_client(void);
 struct tls *tls_server(void);
 int tls_configure(struct tls *_ctx, struct tls_config *_config);
Index: lib/libtls/tls_config.c
===================================================================
RCS file: /cvs/src/lib/libtls/tls_config.c,v
retrieving revision 1.9
diff -u -p -r1.9 tls_config.c
--- lib/libtls/tls_config.c     22 Feb 2015 15:09:54 -0000      1.9
+++ lib/libtls/tls_config.c     15 May 2015 18:34:43 -0000
@@ -82,6 +82,8 @@ tls_config_new(void)
        
        tls_config_verify(config);
 
+       tls_config_prefer_server_ciphers(config);
+
        return (config);
 
 err:
@@ -299,4 +301,16 @@ tls_config_verify(struct tls_config *con
 {
        config->verify_cert = 1;
        config->verify_name = 1;
+}
+
+void
+tls_config_prefer_server_ciphers(struct tls_config *config)
+{
+       config->prefer_server = 1;
+}
+
+void
+tls_config_prefer_client_ciphers(struct tls_config *config)
+{
+       config->prefer_server = 0;
 }
Index: lib/libtls/tls_internal.h
===================================================================
RCS file: /cvs/src/lib/libtls/tls_internal.h,v
retrieving revision 1.12
diff -u -p -r1.12 tls_internal.h
--- lib/libtls/tls_internal.h   31 Mar 2015 12:21:27 -0000      1.12
+++ lib/libtls/tls_internal.h   15 May 2015 18:34:43 -0000
@@ -46,6 +46,7 @@ struct tls_config {
        int verify_cert;
        int verify_depth;
        int verify_name;
+       int prefer_server;
 };
 
 #define TLS_CLIENT             (1 << 0)
Index: lib/libtls/tls_server.c
===================================================================
RCS file: /cvs/src/lib/libtls/tls_server.c,v
retrieving revision 1.7
diff -u -p -r1.7 tls_server.c
--- lib/libtls/tls_server.c     31 Mar 2015 14:03:38 -0000      1.7
+++ lib/libtls/tls_server.c     15 May 2015 18:34:43 -0000
@@ -81,6 +81,10 @@ tls_configure_server(struct tls *ctx)
                EC_KEY_free(ecdh_key);
        }
 
+       if (ctx->config->prefer_server == 1) {
+               SSL_CTX_set_options(ctx->ssl_ctx, 
SSL_OP_CIPHER_SERVER_PREFERENCE); 
+       }
+
        /*
         * Set session ID context to a random value.  We don't support
         * persistent caching of sessions so it is OK to set a temporary

Reply via email to