diff options
| author | Todd Short <tshort@akamai.com> | 2015-12-21 15:19:29 -0500 |
|---|---|---|
| committer | Pauli <paul.dale@oracle.com> | 2017-11-30 07:13:08 +1000 |
| commit | e1c7871de80029b81824df4d59edc6de5293835f (patch) | |
| tree | 8b5e34751cbc70493dbbb36cddaf7f85cd943ccd /ssl/ssl_conf.c | |
| parent | 92b1b9a8871530f26ef7df972111297ffa721be2 (diff) | |
Use ChaCha only if prioritized by clnt
IFF the client has ChaCha first, and server cipher priority is used,
and the new SSL_OP_PRIORITIZE_CHACHA_FOR_MOBILE option is used,
then reprioritize ChaCha above everything else. This way, A matching
ChaCha cipher will be selected if there is a match. If no ChaCha ciphers
match, then the other ciphers are used.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4436)
Diffstat (limited to 'ssl/ssl_conf.c')
| -rw-r--r-- | ssl/ssl_conf.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 1a8dc1543d..fe090ae40d 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -368,7 +368,8 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), - SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX) + SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), + SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA) }; if (value == NULL) return -3; @@ -588,6 +589,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_SWITCH("allow_no_dhe_kex", 0), + SSL_CONF_CMD_SWITCH("prioritize_chacha", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_SWITCH("strict", 0), SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0), SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0), @@ -660,6 +662,8 @@ static const ssl_switch_tbl ssl_cmd_switches[] = { {SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV}, /* allow_no_dhe_kex */ {SSL_OP_ALLOW_NO_DHE_KEX, 0}, + /* chacha reprioritization */ + {SSL_OP_PRIORITIZE_CHACHA, 0}, {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */ }; |