Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 3c4bc6e10ae5ec3b82ff55fe4c0494309d5fee87^! / .
commit3c4bc6e10ae5ec3b82ff55fe4c0494309d5fee87[log] [tgz]
authorEmeric Brun <ebrun@exceliance.fr>Thu Oct 04 18:44:19 2012 +0200
committerWilly Tarreau <w@1wt.eu>Fri Oct 05 20:02:06 2012 +0200
treed1dce8bda75ad912d501f8d3b83d41fda7d5d96c
parentce08baa36d5ab127611fe15765a964c3b389ecbe [diff]
MINOR: ssl: remove prefer-server-ciphers statement and set it as the default on ssl listeners.

diff --git a/include/types/listener.h b/include/types/listener.h
index 6fe21ab..2f0f34d 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h

@@ -108,7 +108,6 @@
 	int notlsv10;              /* disable TLSv1.0 */
 	int notlsv11;              /* disable TLSv1.1 */
 	int notlsv12;              /* disable TLSv1.2 */
-	int prefer_server_ciphers; /* Prefer server ciphers */
 	int verify;                /* verify method (set of SSL_VERIFY_* flags) */
 	SSL_CTX *default_ctx;      /* SSL context of first/default certificate */
 	struct eb_root sni_ctx;    /* sni_ctx tree of all known certs full-names sorted by name */

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 7c5ffbe..88a5adb 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -477,7 +477,8 @@
 		SSL_OP_NO_COMPRESSION |
 		SSL_OP_SINGLE_DH_USE |
 		SSL_OP_SINGLE_ECDH_USE |
-		SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
+		SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
+		SSL_OP_CIPHER_SERVER_PREFERENCE;
 	int sslmode =
 		SSL_MODE_ENABLE_PARTIAL_WRITE |
 		SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
@@ -493,8 +494,6 @@
 		ssloptions |= SSL_OP_NO_TLSv1_2;
 	if (bind_conf->no_tls_tickets)
 		ssloptions |= SSL_OP_NO_TICKET;
-	if (bind_conf->prefer_server_ciphers)
-		ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
 
 	SSL_CTX_set_options(ctx, ssloptions);
 	SSL_CTX_set_mode(ctx, sslmode);
@@ -1249,13 +1248,6 @@
 	return 0;
 }
 
-/* parse the "prefer-server-ciphers" bind keyword */
-static int bind_parse_psc(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
-{
-	conf->prefer_server_ciphers = 1;
-	return 0;
-}
-
 /* parse the "ssl" bind keyword */
 static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
@@ -1345,7 +1337,6 @@
 	{ "notlsv10",              bind_parse_notlsv10,       0 }, /* disable TLSv10 */
 	{ "notlsv11",              bind_parse_notlsv11,       0 }, /* disable TLSv11 */
 	{ "notlsv12",              bind_parse_notlsv12,       0 }, /* disable TLSv12 */
-	{ "prefer-server-ciphers", bind_parse_psc,            0 }, /* prefer server ciphers */
 	{ "ssl",                   bind_parse_ssl,            0 }, /* enable SSL processing */
 	{ "verify",                bind_parse_verify,         1 }, /* set SSL verify method */
 	{ NULL, NULL, 0 },