From 54c0ead9164365ee49b0931d5b6226b4b1a3e24c Mon Sep 17 00:00:00 2001
From: Stoiko Ivanov <s.ivanov@proxmox.com>
Date: Fri, 15 Feb 2019 12:35:59 +0100
Subject: [PATCH] Add configurable 'honor_cipher_order'

Needed to fix #2069.

Prefering the ciphers set in the server, instead of relying on the offer of the
client is considered good practice in TLS1.[012] (see e.g. [0]).

[0] https://cipherli.st/

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 PVE/APIServer/AnyEvent.pm | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm
index 14e46fa..3892136 100755
--- a/PVE/APIServer/AnyEvent.pm
+++ b/PVE/APIServer/AnyEvent.pm
@@ -1644,8 +1644,13 @@ sub new {
     $self->{end_cond} = AnyEvent->condvar;
 
     if ($self->{ssl}) {
+	my $tls_ctx_flags = &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE;
+	if ( delete $self->{ssl}->{honor_cipher_order} ) {
+	    $tls_ctx_flags |= &Net::SSLeay::OP_CIPHER_SERVER_PREFERENCE;
+	}
+
 	$self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}});
-	Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE);
+	Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, $tls_ctx_flags);
     }
 
     if ($self->{spiceproxy}) {