add support for ssl_honor_cipher_order

perlbal · Oct 27, 2012 · 545eee4 · 545eee4
1 parent 9e0b06b
commit 545eee4
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/lib/Perlbal/Service.pm b/lib/Perlbal/Service.pm
@@ -97,6 +97,7 @@ use fields (
             'ssl_cipher_list',    # OpenSSL cipher list string
             'ssl_ca_path',        # directory:  path to certificates
             'ssl_verify_mode',    # int:  verification mode, see IO::Socket::SSL documentation 
+            'ssl_honor_cipher_order', # bool: see IO::Socket::SSL documentation (requires version >= 1.71)
 
             'enable_error_retries',  # bool: whether we should retry requests after errors
             'error_retry_schedule',  # string of comma-separated seconds (full or partial) to delay between retries
@@ -615,6 +616,12 @@ our $tunables = {
         check_type => "int",
         check_role => "*",
     },
+    'ssl_honor_cipher_order' => {
+        des => 'SSL: server determines cipher order to try',
+        default => 0,
+        check_type => "int",
+        check_role => "*",
+    },
 
     'enable_error_retries' => {
         des => 'Whether Perlbal should transparently retry requests to backends if a backend returns a 500 server error.',
@@ -1643,6 +1650,7 @@ sub enable {
                 SSL_cipher_list => $self->{ssl_cipher_list},
                 (defined $self->{ssl_ca_path} ? (SSL_ca_path => $self->{ssl_ca_path}) : ()),
                 (defined $self->{ssl_verify_mode} ? (SSL_verify_mode => $self->{ssl_verify_mode}) : ()),
+                (defined $self->{ssl_honor_cipher_order} ? (SSL_honor_cipher_order => $self->{ssl_honor_cipher_order}) : ()),
             };
             return $mc->err("IO::Socket:SSL (0.98+) not available.  Can't do SSL.") unless eval "use IO::Socket::SSL 0.98 (); 1;";
             return $mc->err("SSL key file ($self->{ssl_key_file}) doesn't exist")   unless -f $self->{ssl_key_file};