From 3c4bc6e10ae5ec3b82ff55fe4c0494309d5fee87 Mon Sep 17 00:00:00 2001 From: Emeric Brun Date: Thu, 4 Oct 2012 18:44:19 +0200 Subject: [PATCH] MINOR: ssl: remove prefer-server-ciphers statement and set it as the default on ssl listeners. --- include/types/listener.h | 1 - src/ssl_sock.c | 13 ++----------- 2 files changed, 2 insertions(+), 12 deletions(-) diff --git a/include/types/listener.h b/include/types/listener.h index 6fe21ab888..2f0f34db4b 100644 --- a/include/types/listener.h +++ b/include/types/listener.h @@ -108,7 +108,6 @@ struct bind_conf { int notlsv10; /* disable TLSv1.0 */ int notlsv11; /* disable TLSv1.1 */ int notlsv12; /* disable TLSv1.2 */ - int prefer_server_ciphers; /* Prefer server ciphers */ int verify; /* verify method (set of SSL_VERIFY_* flags) */ SSL_CTX *default_ctx; /* SSL context of first/default certificate */ struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */ diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 7c5ffbe6ba..88a5adb7d9 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -477,7 +477,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy SSL_OP_NO_COMPRESSION | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE | - SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION; + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | + SSL_OP_CIPHER_SERVER_PREFERENCE; int sslmode = SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | @@ -493,8 +494,6 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy ssloptions |= SSL_OP_NO_TLSv1_2; if (bind_conf->no_tls_tickets) ssloptions |= SSL_OP_NO_TICKET; - if (bind_conf->prefer_server_ciphers) - ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE; SSL_CTX_set_options(ctx, ssloptions); SSL_CTX_set_mode(ctx, sslmode); @@ -1249,13 +1248,6 @@ static int bind_parse_notlsv12(char **args, int cur_arg, struct proxy *px, struc return 0; } -/* parse the "prefer-server-ciphers" bind keyword */ -static int bind_parse_psc(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) -{ - conf->prefer_server_ciphers = 1; - return 0; -} - /* parse the "ssl" bind keyword */ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { @@ -1345,7 +1337,6 @@ static struct bind_kw_list bind_kws = { "SSL", { }, { { "notlsv10", bind_parse_notlsv10, 0 }, /* disable TLSv10 */ { "notlsv11", bind_parse_notlsv11, 0 }, /* disable TLSv11 */ { "notlsv12", bind_parse_notlsv12, 0 }, /* disable TLSv12 */ - { "prefer-server-ciphers", bind_parse_psc, 0 }, /* prefer server ciphers */ { "ssl", bind_parse_ssl, 0 }, /* enable SSL processing */ { "verify", bind_parse_verify, 1 }, /* set SSL verify method */ { NULL, NULL, 0 }, -- 2.39.5