Implements Cipher Server Preference

skinkie · Nov 17, 2011 · d230685 · d230685
1 parent 51e2ff1
commit d230685
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 0 deletions.
diff --git a/admin/PageVServer.py b/admin/PageVServer.py
@@ -46,6 +46,7 @@
 NOTE_CERT_KEY         = N_('PEM-encoded Private Key file for the server (Full path to the file)')
 NOTE_CA_LIST          = N_('File containing the trusted CA certificates, utilized for checking the client certificates (Full path to the file)')
 NOTE_CIPHERS          = N_('Ciphers that TLS/SSL is allowed to use. <a target="_blank" href="http://www.openssl.org/docs/apps/ciphers.html">Reference</a>. (Default: HIGH:!aNULL:!MD5).')
+NOTE_CIPHER_SERVER_PREFERENCE = N_('The cipher sequence that is specified by the server should have preference over the preference of the client. (Default: False).')
 NOTE_CLIENT_CERTS     = N_('Skip, Accept or Require client certificates.')
 NOTE_VERIFY_DEPTH     = N_('Limit up to which depth certificates in a chain are used during the verification procedure (Default: 1)')
 NOTE_ERROR_HANDLER    = N_('Allows the selection of how to generate the error responses.')
@@ -665,6 +666,7 @@ def __init__ (self, vsrv_num, refreshable):
         # Advanced options
         table = CTK.PropsTable()
         table.Add (_('Ciphers'),               CTK.TextCfg ('%s!ssl_ciphers' %(pre), True), _(NOTE_CIPHERS))
+        table.Add (_('Server Preference'),     CTK.CheckCfgText ('%s!ssl_cipher_server_preference' % (pre), False, _('Prefer')), _(NOTE_CIPHER_SERVER_PREFERENCE))
         table.Add (_('Client Certs. Request'), CTK.ComboCfg('%s!ssl_client_certs' %(pre), trans_options(CLIENT_CERTS)), _(NOTE_CLIENT_CERTS))
 
         if CTK.cfg.get_val('%s!ssl_client_certs' %(pre)):

diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c
@@ -388,6 +388,12 @@ _vserver_new (cherokee_cryptor_t          *cryp,
 		options |= SSL_OP_NO_SSLv2;
 	}
 
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+    if (vsrv->cipher_server_preference) {
+        options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+    }
+#endif
+
 	SSL_CTX_set_options (n->context, options);
 
 	/* Set cipher list that vserver will accept.

diff --git a/cherokee/virtual_server.c b/cherokee/virtual_server.c
@@ -69,6 +69,8 @@ cherokee_virtual_server_new (cherokee_virtual_server_t **vserver, void *server)
 	n->hsts.subdomains = true;
 	n->hsts.max_age    = 365 * 24 * 60 * 60;
 
+    n->cipher_server_preference = false;
+
 	/* Virtual entries
 	 */
 	ret = cherokee_rule_list_init (&n->rules);
@@ -1149,6 +1151,10 @@ configure_virtual_server_property (cherokee_config_node_t *conf, void *data)
 		cherokee_buffer_clean      (&vserver->ciphers);
 		cherokee_buffer_add_buffer (&vserver->ciphers, &conf->val);
 
+    } else if (equal_buf_str (&conf->key, "ssl_cipher_server_preference")) {
+        ret = cherokee_atob (conf->val.buf, &vserver->cipher_server_preference);
+        if (ret != ret_ok) return ret_error;
+
 	} else if (equal_buf_str (&conf->key, "flcache") ||
 		   equal_buf_str (&conf->key, "collector")) {
 		/* Handled later on */

diff --git a/cherokee/virtual_server.h b/cherokee/virtual_server.h
@@ -75,6 +75,7 @@ typedef struct {
 	cherokee_buffer_t            certs_ca;
 	cherokee_buffer_t            req_client_certs;
 	cherokee_buffer_t            ciphers;
+    cherokee_boolean_t           cipher_server_preference;
 	cherokee_cryptor_vserver_t  *cryptor;
 
 	struct {