Add option to respect client ciphersuite order
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index a631a4a..d50b50c 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -643,6 +643,16 @@
#define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
/**
+ * \def POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+ *
+ * Pick the ciphersuite according to the client's preferences rather than ours
+ * in the SSL Server module (POLARSSL_SSL_SRV_C).
+ *
+ * Uncomment this macro to respect client's ciphersuite order
+ */
+//#define POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+
+/**
* \def POLARSSL_SSL_MAX_FRAGMENT_LENGTH
*
* Enable support for RFC 6066 max_fragment_length extension in SSL.
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 0d6df13..0c6c0d7 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -975,9 +975,15 @@
ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
ciphersuite_info = NULL;
+#if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
+ for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
+ {
+ for( i = 0; ciphersuites[i] != 0; i++ )
+#else
for( i = 0; ciphersuites[i] != 0; i++ )
{
for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
+#endif
{
if( p[0] != 0 ||
p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
@@ -1424,9 +1430,15 @@
*/
ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
ciphersuite_info = NULL;
+#if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
+ for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
+ {
+ for( i = 0; ciphersuites[i] != 0; i++ )
+#else
for( i = 0; ciphersuites[i] != 0; i++ )
{
for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
+#endif
{
if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
p[1] != ( ( ciphersuites[i] ) & 0xFF ) )