diff options
| author | Todd Short <tshort@akamai.com> | 2015-12-21 15:19:29 -0500 |
|---|---|---|
| committer | Pauli <paul.dale@oracle.com> | 2017-11-30 07:13:08 +1000 |
| commit | e1c7871de80029b81824df4d59edc6de5293835f (patch) | |
| tree | 8b5e34751cbc70493dbbb36cddaf7f85cd943ccd /apps/apps.h | |
| parent | 92b1b9a8871530f26ef7df972111297ffa721be2 (diff) | |
Use ChaCha only if prioritized by clnt
IFF the client has ChaCha first, and server cipher priority is used,
and the new SSL_OP_PRIORITIZE_CHACHA_FOR_MOBILE option is used,
then reprioritize ChaCha above everything else. This way, A matching
ChaCha cipher will be selected if there is a match. If no ChaCha ciphers
match, then the other ciphers are used.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4436)
Diffstat (limited to 'apps/apps.h')
| -rw-r--r-- | apps/apps.h | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/apps/apps.h b/apps/apps.h index a279d42b56..bb89eaecf6 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -204,6 +204,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \ OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \ OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_ALLOW_NO_DHE_KEX, \ + OPT_S_PRIORITIZE_CHACHA, \ OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, \ OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \ OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \ @@ -233,6 +234,8 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, "Disallow initial connection to servers that don't support RI"}, \ {"allow_no_dhe_kex", OPT_S_ALLOW_NO_DHE_KEX, '-', \ "In TLSv1.3 allow non-(ec)dhe based key exchange on resumption"}, \ + {"prioritize_chacha", OPT_S_PRIORITIZE_CHACHA, '-', \ + "Prioritize ChaCha ciphers when preferred by clients"}, \ {"strict", OPT_S_STRICT, '-', \ "Enforce strict certificate checks as per TLS standard"}, \ {"sigalgs", OPT_S_SIGALGS, 's', \ @@ -270,6 +273,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, case OPT_S_ONRESUMP: \ case OPT_S_NOLEGACYCONN: \ case OPT_S_ALLOW_NO_DHE_KEX: \ + case OPT_S_PRIORITIZE_CHACHA: \ case OPT_S_STRICT: \ case OPT_S_SIGALGS: \ case OPT_S_CLIENTSIGALGS: \ |