nghttpx: Enable --honor-cipher-order automatically when --ciphers is used

9e703170 · Tatsuhiro Tsujikawa · 5166a61b · 9e703170 · 9e703170
Commit 9e703170 authored Aug 30, 2013 by Tatsuhiro Tsujikawa
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 3 deletions

src/shrpx.cc src/shrpx.cc +2 -0

src/shrpx_ssl.cc src/shrpx_ssl.cc +3 -3

No files found.
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@@ -502,6 +502,8 @@ void print_help(std::ostream& out)
      << "  SSL/TLS:\n"
      << "    --ciphers=<SUITE>  Set allowed cipher list. The format of the\n"
      << "                       string is described in OpenSSL ciphers(1).\n"
+      << "                       If this option is used, --honor-cipher-order\n"
+      << "                       is implicitly enabled.\n"
      << "    --honor-cipher-order\n"
      << "                       Honor server cipher order, giving the\n"
      << "                       ability to mitigate BEAST attacks.\n"

--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@@ -152,9 +152,9 @@ SSL_CTX* create_ssl_context(const char *private_key_file,
                 << ERR_error_string(ERR_get_error(), NULL);
      DIE();
    }
-    if(get_config()->honor_cipher_order) {
-      SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
-    }
+    SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+  } else if(get_config()->honor_cipher_order) {
+    SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
  }

  // Use P-256, which is sufficiently secure at the time of this