View Ticket
Ticket Hash: 305ee10b8666aa7a3107dc2f1a62b2c3abe35353
Title: support of openssl options in tls:init
Status: Open Type: Feature Request
Severity: Important Priority: Immediate
Subsystem: Resolution: Open
Last Modified: 2021-09-29 08:42:00
Version Found In: 1.7.22
User Comments:
anonymous added on 2021-09-29 08:34:09: (text/x-markdown)
In some cases it is required to change openssl options running tcltls. There may be more and other options as I need and describe here.

E.g. running tclhttpd with tcltls needs openssl to change client to server cipher order to pass SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30) as grade A.

I don't know a better way as to add SSL_OP_CIPHER_SERVER_PREFERENCE to tcl.c but would prefer to have an option in ::tls::init

tls.c:1215    SSL_CTX_set_options( ctx, SSL_OP_ALL | SSL_OP_CIPHER_SERVER_PREFERENCE );	/* all SSL bug workarounds */

anonymous added on 2021-09-29 08:42:00: (text/x-markdown)
Of cause the added line should be 

tls.c:1215 
SSL_CTX_set_options( ctx, SSL_OP_CIPHER_SERVER_PREFERENCE );	/* force cipher order selection by server */