Add support for preferring the server's cipher list or the client's cipher

list. Prefer the server's cipher list by default.

Based on a diff from Kyle Thompson <jmp at giga dot moe>.

ok beck@ bcook@

1 files changed, 6 insertions, 3 deletions

diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 1a6257232c..579a97798e 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.14 2015/09/09 19:23:04 beck Exp $ */
+/* $OpenBSD: tls.h,v 1.15 2015/09/10 09:10:42 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -66,8 +66,8 @@ int tls_config_set_key_mem(struct tls_config *_config, const uint8_t *_key,
 void tls_config_set_protocols(struct tls_config *_config, uint32_t _protocols);
 void tls_config_set_verify_depth(struct tls_config *_config, int _verify_depth);
 
-void tls_config_clear_keys(struct tls_config *_config);
-int tls_config_parse_protocols(uint32_t *_protocols, const char *_protostr);
+void tls_config_prefer_ciphers_client(struct tls_config *_config);
+void tls_config_prefer_ciphers_server(struct tls_config *_config);
 
 void tls_config_insecure_noverifycert(struct tls_config *_config);
 void tls_config_insecure_noverifyname(struct tls_config *_config);
@@ -76,6 +76,9 @@ void tls_config_verify(struct tls_config *_config);
 void tls_config_verify_client(struct tls_config *_config);
 void tls_config_verify_client_optional(struct tls_config *_config);
 
+void tls_config_clear_keys(struct tls_config *_config);
+int tls_config_parse_protocols(uint32_t *_protocols, const char *_protostr);
+
 struct tls *tls_client(void);
 struct tls *tls_server(void);
 int tls_configure(struct tls *_ctx, struct tls_config *_config);