Add support for preferring the server's cipher list or the client's cipher

list. Prefer the server's cipher list by default.

Based on a diff from Kyle Thompson <jmp at giga dot moe>.

ok beck@ bcook@

1 files changed, 5 insertions, 1 deletions

diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index 8fa876c6fd..a3cee09596 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.13 2015/09/09 19:49:07 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.14 2015/09/10 09:10:42 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -88,6 +88,10 @@ tls_configure_server(struct tls *ctx)
                 EC_KEY_free(ecdh_key);
         }
 
+        if (ctx->config->ciphers_server == 1)
+                SSL_CTX_set_options(ctx->ssl_ctx,
+                    SSL_OP_CIPHER_SERVER_PREFERENCE); 
+
         /*
          * Set session ID context to a random value.  We don't support
          * persistent caching of sessions so it is OK to set a temporary