From ce3062904f0697f470b5a9213f2b805e8eae3087 Mon Sep 17 00:00:00 2001
From: Tobias von der Krone <tobias.vonderkrone@profitbricks.com>
Date: Fri, 4 Mar 2016 08:14:03 +0100
Subject: [PATCH] Use the server's preferred cipher for the API connection

When using SSL_OP_CIPHER_SERVER_PREFERENCE the server's preferred cipher
is used instead of the client preference, see
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html

fixes #11290
---
 lib/base/tlsutility.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp
index 5040013cc..e43596272 100644
--- a/lib/base/tlsutility.cpp
+++ b/lib/base/tlsutility.cpp
@@ -85,7 +85,7 @@ boost::shared_ptr<SSL_CTX> MakeSSLContext(const String& pubkey, const String& pr
 
 	boost::shared_ptr<SSL_CTX> sslContext = boost::shared_ptr<SSL_CTX>(SSL_CTX_new(SSLv23_method()), SSL_CTX_free);
 
-	long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+	long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_CIPHER_SERVER_PREFERENCE;
 
 #ifdef SSL_OP_NO_COMPRESSION
 	flags |= SSL_OP_NO_COMPRESSION;
-- 
2.40.0