diff --git a/src/shrpx.cc b/src/shrpx.cc index 3a616eb2..cb2ec7bd 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -502,6 +502,8 @@ void print_help(std::ostream& out) << " SSL/TLS:\n" << " --ciphers= Set allowed cipher list. The format of the\n" << " string is described in OpenSSL ciphers(1).\n" + << " If this option is used, --honor-cipher-order\n" + << " is implicitly enabled.\n" << " --honor-cipher-order\n" << " Honor server cipher order, giving the\n" << " ability to mitigate BEAST attacks.\n" diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index af8dc6a0..1715d717 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -152,9 +152,9 @@ SSL_CTX* create_ssl_context(const char *private_key_file, << ERR_error_string(ERR_get_error(), NULL); DIE(); } - if(get_config()->honor_cipher_order) { - SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); - } + SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + } else if(get_config()->honor_cipher_order) { + SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); } // Use P-256, which is sufficiently secure at the time of this