# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+# Prefer the server's order of ciphers over client's.
+#ssl_prefer_server_ciphers = no
+
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
DEF(SET_BOOL, ssl_verify_client_cert),
DEF(SET_BOOL, ssl_require_crl),
DEF(SET_BOOL, verbose_ssl),
+ DEF(SET_BOOL, ssl_prefer_server_ciphers),
SETTING_DEFINE_LIST_END
};
.ssl_crypto_device = "",
.ssl_verify_client_cert = FALSE,
.ssl_require_crl = TRUE,
- .verbose_ssl = FALSE
+ .verbose_ssl = FALSE,
+ .ssl_prefer_server_ciphers = FALSE
};
const struct setting_parser_info master_service_ssl_setting_parser_info = {
bool ssl_verify_client_cert;
bool ssl_require_crl;
bool verbose_ssl;
+ bool ssl_prefer_server_ciphers;
};
extern const struct setting_parser_info master_service_ssl_setting_parser_info;
ssl_set.verbose = set->verbose_ssl;
ssl_set.verify_remote_cert = set->ssl_verify_client_cert;
+ ssl_set.prefer_server_ciphers = set->ssl_prefer_server_ciphers;
if (ssl_iostream_context_init_server(&ssl_set, &service->ssl_ctx,
&error) < 0) {
set->cipher_list, openssl_iostream_error());
return -1;
}
+ if (set->prefer_server_ciphers) {
+ SSL_CTX_set_options(ctx->ssl_ctx,
+ SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
if (ctx->set->protocols != NULL) {
SSL_CTX_set_options(ctx->ssl_ctx,
openssl_get_protocol_options(ctx->set->protocols));
return -1;
}
}
+ if (set->prefer_server_ciphers)
+ SSL_set_options(ssl_io->ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
if (set->protocols != NULL) {
SSL_clear_options(ssl_io->ssl, OPENSSL_ALL_PROTOCOL_OPTIONS);
SSL_set_options(ssl_io->ssl,
bool verbose, verbose_invalid_cert; /* stream-only */
bool verify_remote_cert; /* neither/both */
bool require_valid_cert; /* stream-only */
+ bool prefer_server_ciphers;
};
/* Returns 0 if ok, -1 and sets error_r if failed. The returned error string
const char *cipher_list;
const char *protocols;
bool verify_client_cert;
+ bool prefer_server_ciphers;
};
static int extdata_index;
lookup_ctx.verify_client_cert = set->ssl_verify_client_cert ||
login_set->auth_ssl_require_client_cert ||
login_set->auth_ssl_username_from_cert;
+ lookup_ctx.prefer_server_ciphers = set->ssl_prefer_server_ciphers;
ctx = hash_table_lookup(ssl_servers, &lookup_ctx);
if (ctx == NULL)
ctx->verify_client_cert = ssl_set->ssl_verify_client_cert ||
login_set->auth_ssl_require_client_cert ||
login_set->auth_ssl_username_from_cert;
+ ctx->prefer_server_ciphers = ssl_set->ssl_prefer_server_ciphers;
ctx->ctx = ssl_ctx = SSL_CTX_new(SSLv23_server_method());
if (ssl_ctx == NULL)
i_fatal("Can't set cipher list to '%s': %s",
ctx->cipher_list, ssl_last_error());
}
+ if (ctx->prefer_server_ciphers)
+ SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
SSL_CTX_set_options(ssl_ctx, openssl_get_protocol_options(ctx->protocols));
if (ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->cert) != 1) {
projects / thirdparty / dovecot / core.git / commitdiff
