File lighttpd-1.4.26_honor_cipher_order.patch of Package lighttpd

commit 687b52298d7d87a5ce0919f34a1666724a709c88
Author: Stefan Bühler <stbuehler@web.de>
Date:   Wed Nov 30 19:59:24 2011 +0000

    [ssl] add option to honor server cipher order, true by default (fixes #2364)
    
    git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2810 152afb58-edef-0310-8abb-c4023f1b3aa9
    
    Conflicts:
    
    	NEWS
    	doc/config/lighttpd.conf
    	src/base.h
    	src/configfile.c

diff --git a/src/base.h b/src/base.h
index 4243bd2..9d4efa0 100644
--- a/src/base.h
+++ b/src/base.h
@@ -275,6 +275,7 @@ typedef struct {
 	buffer *ssl_pemfile;
 	buffer *ssl_ca_file;
 	buffer *ssl_cipher_list;
+	unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */
 	unsigned short ssl_use_sslv2;
 	unsigned short ssl_verifyclient;
 	unsigned short ssl_verifyclient_enforce;
diff --git a/src/configfile.c b/src/configfile.c
index 3037185..1137825 100644
--- a/src/configfile.c
+++ b/src/configfile.c
@@ -94,6 +94,7 @@
 		{ "etag.use-inode",             NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 49 */
 		{ "etag.use-mtime",             NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 50 */
 		{ "etag.use-size",             NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 51 */
+		{ "ssl.honor-cipher-order",      NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },     /* 61 */
 		{ "server.host",                 "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
 		{ "server.docroot",              "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
 		{ "server.virtual-root",         "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
@@ -159,6 +160,7 @@
 		s->max_write_idle = 360;
 		s->use_xattr     = 0;
 		s->is_ssl        = 0;
+		s->ssl_honor_cipher_order = 1;
 		s->ssl_use_sslv2 = 1;
 		s->use_ipv6      = 0;
 #ifdef HAVE_LSTAT
@@ -214,6 +216,7 @@
 
 		cv[47].destination = s->ssl_cipher_list;
 		cv[48].destination = &(s->ssl_use_sslv2);
+		cv[61].destination = &(s->ssl_honor_cipher_order);
 		cv[49].destination = &(s->etag_use_inode);
 		cv[50].destination = &(s->etag_use_mtime);
 		cv[51].destination = &(s->etag_use_size);
@@ -291,6 +294,7 @@
 	PATCH(ssl_pemfile);
 	PATCH(ssl_ca_file);
 	PATCH(ssl_cipher_list);
+	PATCH(ssl_honor_cipher_order);
 	PATCH(ssl_use_sslv2);
 	PATCH(etag_use_inode);
 	PATCH(etag_use_mtime);
@@ -346,6 +350,8 @@
 				PATCH(ssl_pemfile);
 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
 				PATCH(ssl_ca_file);
+			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
+				PATCH(ssl_honor_cipher_order);
 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
 				PATCH(ssl_use_sslv2);
 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.cipher-list"))) {
diff --git a/src/network.c b/src/network.c
index b362129..be452a6 100644
--- a/src/network.c
+++ b/src/network.c
@@ -539,6 +539,10 @@ int network_init(server *srv) {
 						ERR_error_string(ERR_get_error(), NULL));
 				return -1;
 			}
+
+			if (s->ssl_honor_cipher_order) {
+				SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+			}
 		}
 
 		if (!buffer_is_empty(s->ssl_ca_file)) {