From bb55b96be5873414f5139ee6f86706b2f219123a Mon Sep 17 00:00:00 2001 From: jsing <> Date: Thu, 10 Sep 2015 09:10:42 +0000 Subject: Add support for preferring the server's cipher list or the client's cipher list. Prefer the server's cipher list by default. Based on a diff from Kyle Thompson . ok beck@ bcook@ --- src/lib/libtls/tls_init.3 | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) (limited to 'src/lib/libtls/tls_init.3') diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index 16495112ff..17822d444d 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.25 2015/07/19 17:10:23 jmc Exp $ +.\" $OpenBSD: tls_init.3,v 1.26 2015/09/10 09:10:42 jsing Exp $ .\" .\" Copyright (c) 2014 Ted Unangst .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: July 19 2015 $ +.Dd $Mdocdate: September 10 2015 $ .Dt TLS_INIT 3 .Os .Sh NAME @@ -35,6 +35,8 @@ .Nm tls_config_set_key_mem , .Nm tls_config_set_protocols , .Nm tls_config_set_verify_depth , +.Nm tls_config_prefer_ciphers_client , +.Nm tls_config_prefer_ciphers_server , .Nm tls_config_clear_keys , .Nm tls_config_insecure_noverifycert , .Nm tls_config_insecure_noverifyname , @@ -92,6 +94,10 @@ .Ft "void" .Fn tls_config_set_verify_depth "struct tls_config *config" "int verify_depth" .Ft "void" +.Fn tls_config_prefer_ciphers_client "struct tls_config *config" +.Ft "void" +.Fn tls_config_prefer_ciphers_server "struct tls_config *config" +.Ft "void" .Fn tls_config_clear_keys "struct tls_config *config" .Ft "void" .Fn tls_config_insecure_noverifycert "struct tls_config *config" @@ -291,6 +297,17 @@ Additionally, the values (TLSv1.2 only) may be used. .Em (Client and server) .It +.Fn tls_config_prefer_ciphers_client +prefers ciphers in the client's cipher list when selecting a cipher suite. +This is considered to be less secure than preferring the server's list. +.Em (Server) +.It +.Fn tls_config_prefer_ciphers_server +prefers ciphers in the server's cipher list when selecting a cipher suite. +This is considered to be more secure than preferring the client's list and is +the default. +.Em (Server) +.It .Fn tls_config_clear_keys clears any secret keys from memory. .Em (Server) -- cgit v1.2.3-55-g6feb