Add "prefer-server-ciphers" options to the "tls" clause

This commit adds support for enforcing the preference of server ciphers over the client ones. This way, the server attains control over the ciphers priority and, thus, can choose more strong cyphers when a client prioritises less strong ciphers over the more strong ones, which is beneficial when trying to achieve Perfect Forward Secrecy.
2025-08-31 14:35:26 +00:00 · 2021-09-20 16:53:27 +03:00
parent 3b88d783a2
commit 16c6e2be06
14 changed files with 62 additions and 6 deletions
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -562,6 +562,18 @@ isc_tlsctx_set_cipherlist(isc_tlsctx_t *ctx, const char *cipherlist) {
 	RUNTIME_CHECK(SSL_CTX_set_cipher_list(ctx, cipherlist) == 1);
 }

+void
+isc_tlsctx_prefer_server_ciphers(isc_tlsctx_t *ctx, const bool prefer) {
+	REQUIRE(ctx != NULL);
+
+	if (prefer) {
+		(void)SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+	} else {
+		(void)SSL_CTX_clear_options(ctx,
+					    SSL_OP_CIPHER_SERVER_PREFERENCE);
+	}
+}
+
 isc_tls_t *
 isc_tls_create(isc_tlsctx_t *ctx) {
 	isc_tls_t *newctx = NULL;