From cb266283f849bd2d416d5c407320c027f9cd9378 Mon Sep 17 00:00:00 2001
From: Aaron Jones <aaronmdjones@gmail.com>
Date: Wed, 20 May 2015 16:41:34 +0000
Subject: [PATCH] libratbox/openssl: Set explicit cipher list for the client
 context aswell

This is in furtherance of commits 9799bea4 and 1f384464 and addresses
any potential vulnerability to LogJam <https://weakdh.org/>
---
 libratbox/src/openssl.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libratbox/src/openssl.c b/libratbox/src/openssl.c
index 06d0ab55d..911dbb61a 100644
--- a/libratbox/src/openssl.c
+++ b/libratbox/src/openssl.c
@@ -302,6 +302,7 @@ rb_init_ssl(void)
 {
 	int ret = 1;
 	char libratbox_data[] = "libratbox data";
+	const char libratbox_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL";
 	SSL_load_error_strings();
 	SSL_library_init();
 	libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
@@ -343,7 +344,7 @@ rb_init_ssl(void)
 	SSL_CTX_set_options(ssl_server_ctx, server_options);
 	SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
 	SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
-	SSL_CTX_set_cipher_list(ssl_server_ctx, "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL");
+	SSL_CTX_set_cipher_list(ssl_server_ctx, libratbox_ciphers);
 
 	/* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available because redhat are dicks
 	   and bastardise their OpenSSL for stupid reasons... */
@@ -372,6 +373,8 @@ rb_init_ssl(void)
 	SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
 #endif
 
+	SSL_CTX_set_cipher_list(ssl_client_ctx, libratbox_ciphers);
+
 	return ret;
 }