added Context::preferServerCiphers()

NetSSL_OpenSSL/include/Poco/Net/Context.h

@@ -334,6 +334,12 @@ public:
 		/// values from the Protocols enumeration, e.g.:
 		///
 		///   context.disableProtocols(PROTO_SSLV2 | PROTO_SSLV3);
+		
+	void preferServerCiphers();
+		/// When choosing a cipher, use the server's preferences instead of the client 
+		/// preferences. When not called, the SSL server will always follow the clients 
+		/// preferences. When called, the SSL/TLS server will choose following its own 
+		/// preferences.
 
 private:
 	void init(const Params& params);

NetSSL_OpenSSL/include/Poco/Net/SSLManager.h

@@ -77,6 +77,7 @@ class NetSSL_API SSLManager
 	///            <verificationDepth>1..9</verificationDepth>
 	///            <loadDefaultCAFile>true|false</loadDefaultCAFile>
 	///            <cipherList>ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH</cipherList>
+	///            <preferServerCiphers>true|false</preferServerCiphers>
 	///            <privateKeyPassphraseHandler>
 	///                <name>KeyFileHandler</name>
 	///                <options>
@@ -118,6 +119,10 @@ class NetSSL_API SSLManager
 	///    - loadDefaultCAFile (boolean): Specifies whether the builtin CA certificates from OpenSSL are used.
 	///    - cipherList (string): Specifies the supported ciphers in OpenSSL notation
 	///      (e.g. "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH").
+	///    - preferServerCiphers (bool): When choosing a cipher, use the server's preferences instead of the 
+	///      client preferences. When not called, the SSL server will always follow the clients 
+	///      preferences. When called, the SSL/TLS server will choose following its own 
+	///      preferences.
 	///    - privateKeyPassphraseHandler.name (string): The name of the class (subclass of PrivateKeyPassphraseHandler)
 	///      used for obtaining the passphrase for accessing the private key.
 	///    - privateKeyPassphraseHandler.options.password (string): The password to be used by KeyFileHandler.
@@ -317,6 +322,7 @@ private:
 	static const std::string CFG_CIPHER_LIST;
 	static const std::string CFG_CYPHER_LIST; // for backwards compatibility
 	static const std::string VAL_CIPHER_LIST;
+	static const std::string CFG_PREFER_SERVER_CIPHERS;
 	static const std::string CFG_DELEGATE_HANDLER;
 	static const std::string VAL_DELEGATE_HANDLER;
 	static const std::string CFG_CERTIFICATE_HANDLER;

NetSSL_OpenSSL/src/Context.cpp

@@ -349,6 +349,14 @@ void Context::disableProtocols(int protocols)
 }
 
 
+void Context::preferServerCiphers()
+{
+#if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
+	SSL_CTX_set_options(_pSSLContext, SSL_OP_CIPHER_SERVER_PREFERENCE);
+#endif
+}
+
+
 void Context::createSSLContext()
 {
 	if (SSLManager::isFIPSEnabled())

NetSSL_OpenSSL/src/SSLManager.cpp

@@ -44,6 +44,7 @@ const bool        SSLManager::VAL_ENABLE_DEFAULT_CA(true);
 const std::string SSLManager::CFG_CIPHER_LIST("cipherList");
 const std::string SSLManager::CFG_CYPHER_LIST("cypherList");
 const std::string SSLManager::VAL_CIPHER_LIST("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
+const std::string SSLManager::CFG_PREFER_SERVER_CIPHERS("preferServerCiphers");
 const std::string SSLManager::CFG_DELEGATE_HANDLER("privateKeyPassphraseHandler.name");
 const std::string SSLManager::VAL_DELEGATE_HANDLER("KeyConsoleHandler");
 const std::string SSLManager::CFG_CERTIFICATE_HANDLER("invalidCertificateHandler.name");
@@ -355,6 +356,15 @@ void SSLManager::initDefaultContext(bool server)
 		_ptrDefaultServerContext->enableExtendedCertificateVerification(extendedVerification);
 	else
 		_ptrDefaultClientContext->enableExtendedCertificateVerification(extendedVerification);
+
+	bool preferServerCiphers = config.getBool(prefix + CFG_PREFER_SERVER_CIPHERS, false);
+	if (preferServerCiphers)
+	{
+		if (server)
+			_ptrDefaultServerContext->preferServerCiphers();
+		else
+			_ptrDefaultClientContext->preferServerCiphers();
+	}
 }