diff options
author | Filippo Valsorda <[email protected]> | 2016-08-25 18:28:51 +0100 |
---|---|---|
committer | Filippo Valsorda <[email protected]> | 2016-08-25 18:28:51 +0100 |
commit | ef585367113a6aca7c5f4d439196a5511eca7dbe (patch) | |
tree | 221a3ba0be28a5f876e26031fb84fd5969dcc8bb | |
parent | 17709a7d3f1a6ee0c34bdb81c6332b1339ea7085 (diff) | |
download | caddy-ef585367113a6aca7c5f4d439196a5511eca7dbe.tar.gz caddy-ef585367113a6aca7c5f4d439196a5511eca7dbe.zip |
Actually set tls.Config.PreferServerCipherSuites
It was set by default on the caddy-internal config object, and even
checked for conflicts, but it was never actually reflected on the
tls.Config.
This will have user-visible changes: a client that prefers, say, AES-CBC
but also supports AES-GCM would have used AES-CBC befor this, and will
use AES-GCM after.
This is desirable and important behavior, because if for example the
server wanted to support 3DES, but *only if it was strictly necessary*,
it would have had no way of doing so with PreferServerCipherSuites
false, as the client preference would have won.
-rw-r--r-- | caddytls/config.go | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/caddytls/config.go b/caddytls/config.go index f0f234b63..f73cbde39 100644 --- a/caddytls/config.go +++ b/caddytls/config.go @@ -350,6 +350,7 @@ func MakeTLSConfig(configs []*Config) (*tls.Config, error) { if i > 0 && cfg.PreferServerCipherSuites != configs[i-1].PreferServerCipherSuites { return nil, fmt.Errorf("cannot both use PreferServerCipherSuites and not use it") } + config.PreferServerCipherSuites = cfg.PreferServerCipherSuites // Go with the widest range of protocol versions if config.MinVersion == 0 || cfg.ProtocolMinVersion < config.MinVersion { |