diff --git a/src/shrpx.cc b/src/shrpx.cc index 2f78a029..f5339882 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -380,6 +380,7 @@ void fill_default_config() // Default accept() backlog mod_config()->backlog = 256; mod_config()->ciphers = 0; + mod_config()->honor_cipher_order = false; mod_config()->spdy_proxy = false; mod_config()->spdy_bridge = false; mod_config()->client_proxy = false; @@ -501,6 +502,9 @@ void print_help(std::ostream& out) << " SSL/TLS:\n" << " --ciphers= Set allowed cipher list. The format of the\n" << " string is described in OpenSSL ciphers(1).\n" + << " --honor-cipher-order\n" + << " Honor server cipher order, giving the\n" + << " ability to mitigate BEAST attacks.\n" << " -k, --insecure When used with -p or --client, don't verify\n" << " backend server's certificate.\n" << " --cacert= When used with -p or --client, set path to\n" @@ -663,6 +667,7 @@ int main(int argc, char **argv) {"frontend-spdy-no-tls", no_argument, &flag, 29}, {"frontend-spdy-proto", required_argument, &flag, 30}, {"backend-tls-sni-field", required_argument, &flag, 31}, + {"honor-cipher-order", no_argument, &flag, 32}, {0, 0, 0, 0 } }; int option_index = 0; @@ -847,6 +852,11 @@ int main(int argc, char **argv) cmdcfgs.push_back(std::make_pair(SHRPX_OPT_BACKEND_TLS_SNI_FIELD, optarg)); break; + case 32: + // --honor-cipher-order + cmdcfgs.push_back(std::make_pair(SHRPX_OPT_HONOR_CIPHER_ORDER, + "yes")); + break; default: break; diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc index d0d43064..d0078d56 100644 --- a/src/shrpx_config.cc +++ b/src/shrpx_config.cc @@ -86,6 +86,7 @@ const char SHRPX_OPT_SYSLOG[] = "syslog"; const char SHRPX_OPT_SYSLOG_FACILITY[] = "syslog-facility"; const char SHRPX_OPT_BACKLOG[] = "backlog"; const char SHRPX_OPT_CIPHERS[] = "ciphers"; +const char SHRPX_OPT_HONOR_CIPHER_ORDER[] = "honor-cipher-order"; const char SHRPX_OPT_CLIENT[] = "client"; const char SHRPX_OPT_INSECURE[] = "insecure"; const char SHRPX_OPT_CACERT[] = "cacert"; @@ -353,6 +354,8 @@ int parse_config(const char *opt, const char *optarg) mod_config()->backlog = strtol(optarg, 0, 10); } else if(util::strieq(opt, SHRPX_OPT_CIPHERS)) { set_config_str(&mod_config()->ciphers, optarg); + } else if(util::strieq(opt, SHRPX_OPT_HONOR_CIPHER_ORDER)) { + mod_config()->honor_cipher_order = util::strieq(optarg, "yes"); } else if(util::strieq(opt, SHRPX_OPT_CLIENT)) { mod_config()->client = util::strieq(optarg, "yes"); } else if(util::strieq(opt, SHRPX_OPT_INSECURE)) { diff --git a/src/shrpx_config.h b/src/shrpx_config.h index 5fb67ae2..ba368f79 100644 --- a/src/shrpx_config.h +++ b/src/shrpx_config.h @@ -78,6 +78,7 @@ extern const char SHRPX_OPT_SYSLOG[]; extern const char SHRPX_OPT_SYSLOG_FACILITY[]; extern const char SHRPX_OPT_BACKLOG[]; extern const char SHRPX_OPT_CIPHERS[]; +extern const char SHRPX_OPT_HONOR_CIPHER_ORDER[]; extern const char SHRPX_OPT_CLIENT[]; extern const char SHRPX_OPT_INSECURE[]; extern const char SHRPX_OPT_CACERT[]; @@ -146,6 +147,7 @@ struct Config { bool use_syslog; int backlog; char *ciphers; + bool honor_cipher_order; bool client; // true if --client or --client-proxy are enabled. bool client_mode; diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index 57ccdb6d..a4ded9fc 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -146,6 +146,9 @@ SSL_CTX* create_ssl_context(const char *private_key_file, << ERR_error_string(ERR_get_error(), NULL); DIE(); } + if(get_config()->honor_cipher_order) { + SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + } } SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);