From: Timo Sirainen <tss@iki.fi>
Date: Sat, 21 Sep 2013 23:20:09 +0000 (+0300)
Subject: Added ssl_prefer_server_ciphers setting.
X-Git-Tag: 2.2.6~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f974134f495e47ba7173f5b0f75fbd5cbacf1fe2;p=thirdparty%2Fdovecot%2Fcore.git

Added ssl_prefer_server_ciphers setting.
---

diff --git a/doc/example-config/conf.d/10-ssl.conf b/doc/example-config/conf.d/10-ssl.conf
index 4b5b2b9e67..cab9423f6a 100644
--- a/doc/example-config/conf.d/10-ssl.conf
+++ b/doc/example-config/conf.d/10-ssl.conf
@@ -53,5 +53,8 @@ ssl_key = </etc/ssl/private/dovecot.pem
 # SSL ciphers to use
 #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
 
+# Prefer the server's order of ciphers over client's.
+#ssl_prefer_server_ciphers = no
+
 # SSL crypto device to use, for valid values run "openssl engine"
 #ssl_crypto_device =
diff --git a/src/lib-master/master-service-ssl-settings.c b/src/lib-master/master-service-ssl-settings.c
index 852c418b09..adf1f330d7 100644
--- a/src/lib-master/master-service-ssl-settings.c
+++ b/src/lib-master/master-service-ssl-settings.c
@@ -27,6 +27,7 @@ static const struct setting_define master_service_ssl_setting_defines[] = {
 	DEF(SET_BOOL, ssl_verify_client_cert),
 	DEF(SET_BOOL, ssl_require_crl),
 	DEF(SET_BOOL, verbose_ssl),
+	DEF(SET_BOOL, ssl_prefer_server_ciphers),
 
 	SETTING_DEFINE_LIST_END
 };
@@ -47,7 +48,8 @@ static const struct master_service_ssl_settings master_service_ssl_default_setti
 	.ssl_crypto_device = "",
 	.ssl_verify_client_cert = FALSE,
 	.ssl_require_crl = TRUE,
-	.verbose_ssl = FALSE
+	.verbose_ssl = FALSE,
+	.ssl_prefer_server_ciphers = FALSE
 };
 
 const struct setting_parser_info master_service_ssl_setting_parser_info = {
diff --git a/src/lib-master/master-service-ssl-settings.h b/src/lib-master/master-service-ssl-settings.h
index 9ce7b6ce0b..2569234dff 100644
--- a/src/lib-master/master-service-ssl-settings.h
+++ b/src/lib-master/master-service-ssl-settings.h
@@ -16,6 +16,7 @@ struct master_service_ssl_settings {
 	bool ssl_verify_client_cert;
 	bool ssl_require_crl;
 	bool verbose_ssl;
+	bool ssl_prefer_server_ciphers;
 };
 
 extern const struct setting_parser_info master_service_ssl_setting_parser_info;
diff --git a/src/lib-master/master-service-ssl.c b/src/lib-master/master-service-ssl.c
index 77d5908910..1e1263a701 100644
--- a/src/lib-master/master-service-ssl.c
+++ b/src/lib-master/master-service-ssl.c
@@ -119,6 +119,7 @@ void master_service_ssl_ctx_init(struct master_service *service)
 
 	ssl_set.verbose = set->verbose_ssl;
 	ssl_set.verify_remote_cert = set->ssl_verify_client_cert;
+	ssl_set.prefer_server_ciphers = set->ssl_prefer_server_ciphers;
 
 	if (ssl_iostream_context_init_server(&ssl_set, &service->ssl_ctx,
 					     &error) < 0) {
diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index 2d2c7d8edc..346a120ca7 100644
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -369,6 +369,10 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx,
 			set->cipher_list, openssl_iostream_error());
 		return -1;
 	}
+	if (set->prefer_server_ciphers) {
+		SSL_CTX_set_options(ctx->ssl_ctx,
+				    SSL_OP_CIPHER_SERVER_PREFERENCE);
+	}
 	if (ctx->set->protocols != NULL) {
 		SSL_CTX_set_options(ctx->ssl_ctx,
 			    openssl_get_protocol_options(ctx->set->protocols));
diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index 353c35d6da..0a1ea37caf 100644
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -154,6 +154,8 @@ openssl_iostream_set(struct ssl_iostream *ssl_io,
 			return -1;
 		}
 	}
+	if (set->prefer_server_ciphers)
+		SSL_set_options(ssl_io->ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
 	if (set->protocols != NULL) {
 		SSL_clear_options(ssl_io->ssl, OPENSSL_ALL_PROTOCOL_OPTIONS);
 		SSL_set_options(ssl_io->ssl,
diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h
index 8db6bb8f4d..2e2fc7e2a1 100644
--- a/src/lib-ssl-iostream/iostream-ssl.h
+++ b/src/lib-ssl-iostream/iostream-ssl.h
@@ -17,6 +17,7 @@ struct ssl_iostream_settings {
 	bool verbose, verbose_invalid_cert; /* stream-only */
 	bool verify_remote_cert; /* neither/both */
 	bool require_valid_cert; /* stream-only */
+	bool prefer_server_ciphers;
 };
 
 /* Returns 0 if ok, -1 and sets error_r if failed. The returned error string
diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c
index 508f171e4a..3f5a6c161c 100644
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -99,6 +99,7 @@ struct ssl_server_context {
 	const char *cipher_list;
 	const char *protocols;
 	bool verify_client_cert;
+	bool prefer_server_ciphers;
 };
 
 static int extdata_index;
@@ -634,6 +635,7 @@ ssl_server_context_get(const struct login_settings *login_set,
 	lookup_ctx.verify_client_cert = set->ssl_verify_client_cert ||
 		login_set->auth_ssl_require_client_cert ||
 		login_set->auth_ssl_username_from_cert;
+	lookup_ctx.prefer_server_ciphers = set->ssl_prefer_server_ciphers;
 
 	ctx = hash_table_lookup(ssl_servers, &lookup_ctx);
 	if (ctx == NULL)
@@ -1271,6 +1273,7 @@ ssl_server_context_init(const struct login_settings *login_set,
 	ctx->verify_client_cert = ssl_set->ssl_verify_client_cert ||
 		login_set->auth_ssl_require_client_cert ||
 		login_set->auth_ssl_username_from_cert;
+	ctx->prefer_server_ciphers = ssl_set->ssl_prefer_server_ciphers;
 
 	ctx->ctx = ssl_ctx = SSL_CTX_new(SSLv23_server_method());
 	if (ssl_ctx == NULL)
@@ -1281,6 +1284,8 @@ ssl_server_context_init(const struct login_settings *login_set,
 		i_fatal("Can't set cipher list to '%s': %s",
 			ctx->cipher_list, ssl_last_error());
 	}
+	if (ctx->prefer_server_ciphers)
+		SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
 	SSL_CTX_set_options(ssl_ctx, openssl_get_protocol_options(ctx->protocols));
 
 	if (ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->cert) != 1) {