nghttpx: Enable --honor-cipher-order automatically when --ciphers is used

2013-08-30 23:02:47 +09:00 · 2013-08-30 23:02:47 +09:00 · 9e703170cd
parent 5166a61bfd
commit 9e703170cd
2 changed files with 5 additions and 3 deletions
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@ -502,6 +502,8 @@ void print_help(std::ostream& out)
      << "  SSL/TLS:\n"
      << "    --ciphers=<SUITE>  Set allowed cipher list. The format of the\n"
      << "                       string is described in OpenSSL ciphers(1).\n"
+      << "                       If this option is used, --honor-cipher-order\n"
+      << "                       is implicitly enabled.\n"
      << "    --honor-cipher-order\n"
      << "                       Honor server cipher order, giving the\n"
      << "                       ability to mitigate BEAST attacks.\n"
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@ -152,9 +152,9 @@ SSL_CTX* create_ssl_context(const char *private_key_file,
                 << ERR_error_string(ERR_get_error(), NULL);
      DIE();
    }
-    if(get_config()->honor_cipher_order) {
-      SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
-    }
+    SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+  } else if(get_config()->honor_cipher_order) {
+    SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
  }

  // Use P-256, which is sufficiently secure at the time of this