From 9e703170cd2757c58d7f03d519b3fc7596528d2b Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Fri, 30 Aug 2013 23:02:47 +0900
Subject: [PATCH] nghttpx: Enable --honor-cipher-order automatically when
 --ciphers is used

---
 src/shrpx.cc     | 2 ++
 src/shrpx_ssl.cc | 6 +++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/shrpx.cc b/src/shrpx.cc
index 3a616eb2..cb2ec7bd 100644
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@@ -502,6 +502,8 @@ void print_help(std::ostream& out)
       << "  SSL/TLS:\n"
       << "    --ciphers=<SUITE>  Set allowed cipher list. The format of the\n"
       << "                       string is described in OpenSSL ciphers(1).\n"
+      << "                       If this option is used, --honor-cipher-order\n"
+      << "                       is implicitly enabled.\n"
       << "    --honor-cipher-order\n"
       << "                       Honor server cipher order, giving the\n"
       << "                       ability to mitigate BEAST attacks.\n"
diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc
index af8dc6a0..1715d717 100644
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@@ -152,9 +152,9 @@ SSL_CTX* create_ssl_context(const char *private_key_file,
                  << ERR_error_string(ERR_get_error(), NULL);
       DIE();
     }
-    if(get_config()->honor_cipher_order) {
-      SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
-    }
+    SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+  } else if(get_config()->honor_cipher_order) {
+    SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
   }
 
   // Use P-256, which is sufficiently secure at the time of this