MINOR: ssl: set SSL_OP_PRIORITIZE_CHACHA Sets OpenSSL 1.1.1's SSL_OP_PRIORITIZE_CHACHA unconditionally, as per [1]: When SSL_OP_CIPHER_SERVER_PREFERENCE is set, temporarily reprioritize ChaCha20-Poly1305 ciphers to the top of the server cipher list if a ChaCha20-Poly1305 cipher is at the top of the client cipher list. This helps those clients (e.g. mobile) use ChaCha20-Poly1305 if that cipher is anywhere in the server cipher list; but still allows other clients to use AES and other ciphers. Requires SSL_OP_CIPHER_SERVER_PREFERENCE. [1] https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_clear_options.html

commit: 926594f60627c7727befb15c50eb7680f30948a4 [log] [tgz]
author: Lukas Tribus <lukas@ltri.eu> Fri May 18 17:55:57 2018 +0200
committer: Willy Tarreau <w@1wt.eu> Wed May 23 16:55:15 2018 +0200
tree: 940abcebd25a1e6e384acfa7a4e10d4af7064bdb
parent: 8a16fe0d053b93c00a8bcf86159135f98ca1377e [diff] [blame]
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 223184b..67b4b3a 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -10961,6 +10961,9 @@
   Use the client's preference when selecting the cipher suite, by default
   the server's preference is enforced. This option is also available on
   global statement "ssl-default-bind-options".
+  Note that with OpenSSL >= 1.1.1 ChaCha20-Poly1305 is reprioritized anyway
+  (without setting this option), if a ChaCha20-Poly1305 cipher is at the top of
+  the client cipher list.
 
 process <process-set>[/<thread-set>]
   This restricts the list of processes and/or threads on which this listener is
commit	926594f60627c7727befb15c50eb7680f30948a4	[log] [tgz]
author	Lukas Tribus <lukas@ltri.eu>	Fri May 18 17:55:57 2018 +0200
committer	Willy Tarreau <w@1wt.eu>	Wed May 23 16:55:15 2018 +0200
tree	940abcebd25a1e6e384acfa7a4e10d4af7064bdb
parent	8a16fe0d053b93c00a8bcf86159135f98ca1377e [diff] [blame]