From 5071f6783ae1cd248cfc9634d76ed1ecad851f5b Mon Sep 17 00:00:00 2001 From: =?utf8?q?Szil=C3=A1rd=20Pfeiffer?= Date: Mon, 4 Sep 2017 10:10:12 +0200 Subject: [PATCH] OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit * safe bet to say that server admins are better at updating their configs than client users are and if client do want to restrict their ciphers, they should simply evict the ciphers they don't want from their cipher suite * mbed TLS and OpenSSL behave more similar with the SSL_OP_CIPHER_SERVER_PREFERENCE flag Signed-off-by: Szilárd Pfeiffer Acked-by: Steffan Karger Message-Id: <20170904081012.1975-1-coroner@pfeifferszilard.hu> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15356.html Signed-off-by: David Sommerseth (cherry picked from commit 5fd8e94d311825571931414064e4d13ed808f9b5) --- src/openvpn/ssl_openssl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index b459afe10..6bd1c8334 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -238,6 +238,9 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags) if (tls_ver_min > TLS_VER_1_2 || tls_ver_max < TLS_VER_1_2) sslopt |= SSL_OP_NO_TLSv1_2; #endif +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + sslopt |= SSL_OP_CIPHER_SERVER_PREFERENCE; +#endif #ifdef SSL_OP_NO_COMPRESSION /* Disable compression - flag not available in OpenSSL 0.9.8 */ sslopt |= SSL_OP_NO_COMPRESSION; -- 2.47.2