From 9cf708807c3dac2ddab893410af82423ac266830 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Mon, 15 Dec 2014 21:38:54 -0500 Subject: [PATCH] Consistently order ECDHE_ECDSA over ECDHE_RSA. Currently we don't express an opinion. Most sites aren't likely to have a choice since it depends on what certificates they have available. But we may as well order them. Change-Id: I4fffa5e392f42e19823cb8faa2e9e15a6bb91086 Reviewed-on: https://boringssl-review.googlesource.com/2607 Reviewed-by: Adam Langley --- ssl/ssl_ciph.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 37c7e433..d5039cc8 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1031,7 +1031,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_meth /* Now arrange all ciphers by preference: * TODO(davidben): Compute this order once and copy it. */ - /* Everything else being equal, prefer ephemeral ECDH over other key exchange mechanisms */ + /* Everything else being equal, prefer ECDHE_ECDSA then ECDHE_RSA over + * other key exchange mechanisms */ + ssl_cipher_apply_rule(0, SSL_kEECDH, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head, &tail);