From: Tobias von der Krone <tobias.vonderkrone@profitbricks.com>
Date: Fri, 4 Mar 2016 07:14:03 +0000 (+0100)
Subject: Use the server's preferred cipher for the API connection
X-Git-Tag: v2.5.0~496
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ce3062904f0697f470b5a9213f2b805e8eae3087;p=icinga2

Use the server's preferred cipher for the API connection

When using SSL_OP_CIPHER_SERVER_PREFERENCE the server's preferred cipher
is used instead of the client preference, see
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html

fixes #11290
---

diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp
index 5040013cc..e43596272 100644
--- a/lib/base/tlsutility.cpp
+++ b/lib/base/tlsutility.cpp
@@ -85,7 +85,7 @@ boost::shared_ptr<SSL_CTX> MakeSSLContext(const String& pubkey, const String& pr
 
 	boost::shared_ptr<SSL_CTX> sslContext = boost::shared_ptr<SSL_CTX>(SSL_CTX_new(SSLv23_method()), SSL_CTX_free);
 
-	long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+	long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_CIPHER_SERVER_PREFERENCE;
 
 #ifdef SSL_OP_NO_COMPRESSION
 	flags |= SSL_OP_NO_COMPRESSION;