OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag

* safe bet to say that server admins are better at updating their configs
  than client users are and if client do want to restrict their ciphers,
  they should simply evict the ciphers they don't want from their cipher
  suite
* mbed TLS and OpenSSL behave more similar with the
  SSL_OP_CIPHER_SERVER_PREFERENCE flag

Signed-off-by: Szilárd Pfeiffer <coroner@pfeifferszilard.hu>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170904081012.1975-1-coroner@pfeifferszilard.hu>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15356.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 5fd8e94d311825571931414064e4d13ed808f9b5)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index b459afe10ade1557852f658ee87baac0cbb193f7..6bd1c833489e7ba10263d3f5e1c17056bbc88742 100644 (file)
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -238,6 +238,9 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)
     if (tls_ver_min > TLS_VER_1_2 || tls_ver_max < TLS_VER_1_2)
       sslopt |= SSL_OP_NO_TLSv1_2;
 #endif
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+        sslopt |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+#endif
 #ifdef SSL_OP_NO_COMPRESSION
     /* Disable compression - flag not available in OpenSSL 0.9.8 */
     sslopt |= SSL_OP_NO_COMPRESSION;