git.ipfire.org Git - thirdparty/pdns.git/commit

author	Sukhbir Singh <ssingh@wikimedia.org>
	Tue, 22 Sep 2020 14:52:00 +0000 (10:52 -0400)
committer	Sukhbir Singh <ssingh@wikimedia.org>
	Wed, 23 Sep 2020 11:00:14 +0000 (07:00 -0400)
commit	9f9ef46aabb19b661f9f2f7695f14a9a0d42e3bb
tree	b608233705c7fb343605709e1185575907e44b77	tree
parent	109c199dbd337405bdd25aad4fa6a8c419dc6fdb	commit \| diff

dnsdist: prioritize ChaCha20-Poly1305 when client does

The OpenSSL option SSL_OP_PRIORITIZE_CHACHA prioritizes
ChaCha20-Poly1305 if the client does by temporarily re-prioritizing it
to the top of the server cipher list. Since dnsdist already sets
SSL_OP_CIPHER_SERVER_PREFERENCE by default (preferServerCiphers is set
to true), setting this option enables clients that prefer ChaCha20 due
to a lack of AES-NI (such as mobile devices) to override the server
specified list. This option requires SSL_OP_CIPHER_SERVER_PREFERENCE to
be set and was introduced in OpenSSL 1.1.1.

Note that this change neither affects clients that prefer AES or other
ciphers, nor dnsdist's default options, unless the client explicitly
prioritizes ChaCha20.

.github/actions/spell-check/expect.txt		diff \| blob \| blame \| history
pdns/dnsdistdist/docs/reference/config.rst		diff \| blob \| blame \| history
pdns/dnsdistdist/libssl.cc		diff \| blob \| blame \| history