Add support for preferring the server's cipher list or the client's cipher

list. Prefer the server's cipher list by default.

Based on a diff from Kyle Thompson <jmp at giga dot moe>.

ok beck@ bcook@

1 files changed, 15 insertions, 1 deletions

diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 2a0033b3bd..4d536853c8 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.11 2015/09/09 19:49:07 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.12 2015/09/10 09:10:42 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -80,6 +80,8 @@ tls_config_new(void)
         tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT);
         tls_config_set_verify_depth(config, 6);
         
+        tls_config_prefer_ciphers_server(config);
+
         tls_config_verify(config);
 
         return (config);
@@ -283,6 +285,18 @@ tls_config_set_verify_depth(struct tls_config *config, int verify_depth)
 }
 
 void
+tls_config_prefer_ciphers_client(struct tls_config *config)
+{
+        config->ciphers_server = 0;
+}
+
+void
+tls_config_prefer_ciphers_server(struct tls_config *config)
+{
+        config->ciphers_server = 1;
+}
+
+void
 tls_config_insecure_noverifycert(struct tls_config *config)
 {
         config->verify_cert = 0;