Feature #2364 ยป honor-cipher-order.diff
| src/base.h 2011-11-04 12:21:22.000000000 +0100 | ||
|---|---|---|
|
buffer *ssl_cipher_list;
|
||
|
buffer *ssl_dh_file;
|
||
|
buffer *ssl_ec_curve;
|
||
|
unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */
|
||
|
unsigned short ssl_use_sslv2;
|
||
|
unsigned short ssl_use_sslv3;
|
||
|
unsigned short ssl_verifyclient;
|
||
|
-- src/configfile.c 2011-06-13 16:10:46.000000000 +0200
|
||
|
++ src/configfile.c 2011-11-04 12:21:17.000000000 +0100
|
||
| ... | ... | |
|
{ "ssl.use-sslv3", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 62 */
|
||
|
{ "ssl.dh-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 63 */
|
||
|
{ "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */
|
||
|
{ "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 65 */
|
||
|
{ "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
|
||
|
{ "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
|
||
| ... | ... | |
|
s->max_write_idle = 360;
|
||
|
s->use_xattr = 0;
|
||
|
s->is_ssl = 0;
|
||
|
s->ssl_honor_cipher_order = 0;
|
||
|
s->ssl_use_sslv2 = 0;
|
||
|
s->ssl_use_sslv3 = 1;
|
||
|
s->use_ipv6 = 0;
|
||
| ... | ... | |
|
cv[62].destination = &(s->ssl_use_sslv3);
|
||
|
cv[63].destination = s->ssl_dh_file;
|
||
|
cv[64].destination = s->ssl_ec_curve;
|
||
|
cv[65].destination = &(s->ssl_honor_cipher_order);
|
||
|
cv[49].destination = &(s->etag_use_inode);
|
||
|
cv[50].destination = &(s->etag_use_mtime);
|
||
|
cv[51].destination = &(s->etag_use_size);
|
||
| ... | ... | |
|
PATCH(ssl_cipher_list);
|
||
|
PATCH(ssl_dh_file);
|
||
|
PATCH(ssl_ec_curve);
|
||
|
PATCH(ssl_honor_cipher_order);
|
||
|
PATCH(ssl_use_sslv2);
|
||
|
PATCH(ssl_use_sslv3);
|
||
|
PATCH(etag_use_inode);
|
||
| ... | ... | |
|
#endif
|
||
|
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
|
||
|
PATCH(ssl_ca_file);
|
||
|
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
|
||
|
PATCH(ssl_honor_cipher_order);
|
||
|
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
|
||
|
PATCH(ssl_use_sslv2);
|
||
|
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) {
|
||
|
-- src/network.c 2011-04-24 15:02:45.000000000 +0200
|
||
|
++ src/network.c 2011-11-04 12:21:11.000000000 +0100
|
||
| ... | ... | |
|
ERR_error_string(ERR_get_error(), NULL));
|
||
|
return -1;
|
||
|
}
|
||
|
if (s->ssl_honor_cipher_order) {
|
||
|
SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||
|
}
|
||
|
}
|
||
|
/* Support for Diffie-Hellman key exchange */
|
||