crypto: add `honorCipherOrder` argument

Add `honorCipherOrder` argument to `crypto.createCredentials`.

fix #7249

diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown
index fb9e261..748e835 100644 (file)
--- a/doc/api/tls.markdown
+++ b/doc/api/tls.markdown
@@ -436,6 +436,9 @@ dictionary with keys:
   Consult
   <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>
   for details on the format.
+* `honorCipherOrder` : When choosing a cipher, use the server's preferences
+  instead of the client preferences. For further details see `tls` module
+  documentation.
 
 If no 'ca' details are given, then node.js will use the default
 publicly trusted list of CAs as given in
@@ -608,7 +611,8 @@ more information.
 
 Add secure context that will be used if client request's SNI hostname is
 matching passed `hostname` (wildcards can be used). `context` can contain
-`key`, `cert` and `ca`.
+`key`, `cert`, `ca` and/or any other properties from `tls.createSecureContext`
+`options` argument.
 
 ### server.maxConnections
 

diff --git a/lib/_tls_common.js b/lib/_tls_common.js
index df2c70c..7212849 100644 (file)
--- a/lib/_tls_common.js
+++ b/lib/_tls_common.js
@@ -20,6 +20,7 @@
 // USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 var util = require('util');
+var constants = require('constants');
 var tls = require('tls');
 
 // Lazily loaded
@@ -54,9 +55,11 @@ exports.SecureContext = SecureContext;
 exports.createSecureContext = function createSecureContext(options, context) {
   if (!options) options = {};
 
-  var c = new SecureContext(options.secureProtocol,
-                            options.secureOptions,
-                            context);
+  var secureOptions = options.secureOptions;
+  if (options.honorCipherOrder)
+    secureOptions |= constants.SSL_OP_CIPHER_SERVER_PREFERENCE;
+
+  var c = new SecureContext(options.secureProtocol, secureOptions, context);
 
   if (context) return c;
 

diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index 8f44da1..5a921f7 100644 (file)
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -602,6 +602,7 @@ function Server(/* [options], listener */) {
     ecdhCurve: self.ecdhCurve,
     secureProtocol: self.secureProtocol,
     secureOptions: self.secureOptions,
+    honorCipherOrder: self.honorCipherOrder,
     crl: self.crl,
     sessionIdContext: self.sessionIdContext
   });
@@ -720,9 +721,10 @@ Server.prototype.setOptions = function(options) {
   if (options.sessionTimeout) this.sessionTimeout = options.sessionTimeout;
   if (options.ticketKeys) this.ticketKeys = options.ticketKeys;
   var secureOptions = options.secureOptions || 0;
-  if (options.honorCipherOrder) {
-    secureOptions |= constants.SSL_OP_CIPHER_SERVER_PREFERENCE;
-  }
+  if (options.honorCipherOrder)
+    this.honorCipherOrder = true;
+  else
+    this.honorCipherOrder = false;
   if (secureOptions) this.secureOptions = secureOptions;
   if (options.NPNProtocols) tls.convertNPNProtocols(options.NPNProtocols, this);
   if (options.sessionIdContext) {