Define HonorCipherOrder as a FLAG (rather than as a TAKE1), so that it

works correctly as a boolean on/off flag. While here, rename the variable
so that it is consistent with existing naming scheme.

ok otto@ djm@

5 files changed, 19 insertions, 18 deletions

diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
index c516b4ae845..3a50bda9b8d 100644
--- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
+++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
@@ -74,7 +74,7 @@
  *  identify the module to SCCS `what' and RCS `ident' commands
  */
 static char const sccsid[] = "@(#) mod_ssl/" MOD_SSL_VERSION " >";
-static char const rcsid[]  = "$Id: mod_ssl.c,v 1.11 2013/07/11 12:41:52 otto Exp $";
+static char const rcsid[]  = "$Id: mod_ssl.c,v 1.12 2013/07/16 11:32:05 jsing Exp $";
 
 /*
  *  the table of configuration directives we provide
@@ -107,9 +107,9 @@ static command_rec ssl_config_cmds[] = {
     AP_SRV_CMD(Engine, FLAG,
                "SSL switch for the protocol engine "
                "(`on', `off')")
-    AP_SRV_CMD(HonorCipherOrder, TAKE1,
+    AP_SRV_CMD(HonorCipherOrder, FLAG,
 		"Let the server determine preferred ciphers "
-		"(`on', `off'")
+		"(`on', `off')")
     AP_ALL_CMD(CipherSuite, TAKE1,
                "Colon-delimited list of permitted SSL Ciphers "
                "(`XXX:...:XXX' - see manual)")
diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
index c4529bf2c3d..22c982b1401 100644
--- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
+++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
@@ -516,7 +516,7 @@ typedef struct {
     char        *szCipherSuite;
     FILE        *fileLogFile;
     int          nLogLevel;
-    BOOL         cipher_server_pref;
+    BOOL         bHonorCipherOrder;
     int          nVerifyDepth;
     ssl_verify_t nVerifyClient;
     X509        *pPublicCert[SSL_AIDX_MAX];
@@ -590,8 +590,8 @@ const char  *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, char *, char *);
 const char  *ssl_cmd_SSLCryptoDevice(cmd_parms *, char *, char *);
 const char  *ssl_cmd_SSLRandomSeed(cmd_parms *, char *, char *, char *, char *);
 const char  *ssl_cmd_SSLEngine(cmd_parms *, char *, int);
-const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, char *, int);
 const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char *);
+const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, char *, int);
 const char  *ssl_cmd_SSLCertificateFile(cmd_parms *, char *, char *);
 const char  *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, char *, char *);
 const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, char *, char *);
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
index 7929468cc8c..f7455783b6a 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
@@ -197,7 +197,7 @@ void *ssl_config_server_create(pool *p, server_rec *s)
     sc->szLogFile              = NULL;
     sc->szCipherSuite          = NULL;
     sc->nLogLevel              = SSL_LOG_NONE;
-    sc->cipher_server_pref     = UNSET;
+    sc->bHonorCipherOrder      = UNSET;
     sc->nVerifyDepth           = UNSET;
     sc->nVerifyClient          = SSL_CVERIFY_UNSET;
     sc->nSessionCacheTimeout   = UNSET;
@@ -253,7 +253,7 @@ void *ssl_config_server_merge(pool *p, void *basev, void *addv)
     cfgMergeString(szCertificateChain);
     cfgMergeString(szLogFile);
     cfgMergeString(szCipherSuite);
-    cfgMergeBool(cipher_server_pref);
+    cfgMergeBool(bHonorCipherOrder);
     cfgMerge(nLogLevel, SSL_LOG_NONE);
     cfgMergeInt(nVerifyDepth);
     cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);
@@ -532,14 +532,6 @@ const char *ssl_cmd_SSLEngine(
     return NULL;
 }
 
-const char *ssl_cmd_SSLHonorCipherOrder(
-     cmd_parms *cmd, char *struct_ptr, int flag)
-{
-    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-    sc->cipher_server_pref = flag?TRUE:FALSE;
-    return NULL;
-}
-
 const char *ssl_cmd_SSLCipherSuite(
     cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
 {
@@ -552,6 +544,15 @@ const char *ssl_cmd_SSLCipherSuite(
     return NULL;
 }
 
+const char *ssl_cmd_SSLHonorCipherOrder(
+     cmd_parms *cmd, char *struct_ptr, int flag)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    sc->bHonorCipherOrder = (flag ? TRUE : FALSE);
+    return NULL;
+}
+
 const char *ssl_cmd_SSLCertificateFile(
     cmd_parms *cmd, char *struct_ptr, char *arg)
 {
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
index 8720f236134..eb95d778f79 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_engine_init.c,v 1.29 2013/07/11 12:41:52 otto Exp $ */
+/* $OpenBSD: ssl_engine_init.c,v 1.30 2013/07/16 11:32:05 jsing Exp $ */
 
 /*                      _             _
 **  _ __ ___   ___   __| |    ___ ___| |  mod_ssl
@@ -589,7 +589,7 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc)
         SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
     if (!(sc->nProtocol & SSL_PROTOCOL_TLSV1))
         SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
-    if (sc->cipher_server_pref == TRUE)
+    if (sc->bHonorCipherOrder == TRUE)
     	SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
     SSL_CTX_set_app_data(ctx, s);
     sc->pSSLCtx = ctx;
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
index 89823934f68..254757b60cc 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
@@ -802,7 +802,7 @@ int ssl_hook_Access(request_rec *r)
             sk_SSL_CIPHER_free(skCipherOld);
         /* tracing */
         if (renegotiate) {
-	    if (sc->cipher_server_pref == TRUE)
+	    if (sc->bHonorCipherOrder == TRUE)
 	    	SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
             ssl_log(r->server, SSL_LOG_TRACE,
                     "Reconfigured cipher suite will force renegotiation");