From e489ebad88b947e0d70473bf0428b440137048b7 Mon Sep 17 00:00:00 2001
From: benno <benno@openbsd.org>
Date: Tue, 27 Oct 2015 12:27:54 +0000
Subject: [PATCH] change cipher-server-preference to be on by default. It can
 be disabled with  no cipher-server-preference this makes more clients select
 ciphers with pfs. requested and ok by reyk@

---
 usr.sbin/relayd/relayd.conf.5 | 6 +++---
 usr.sbin/relayd/relayd.h      | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5
index bdb6cd31e59..60411785064 100644
--- a/usr.sbin/relayd/relayd.conf.5
+++ b/usr.sbin/relayd/relayd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: relayd.conf.5,v 1.166 2015/10/24 11:37:17 benno Exp $
+.\"	$OpenBSD: relayd.conf.5,v 1.167 2015/10/27 12:27:54 benno Exp $
 .\"
 .\" Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
 .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 24 2015 $
+.Dd $Mdocdate: October 27 2015 $
 .Dt RELAYD.CONF 5
 .Os
 .Sh NAME
@@ -934,7 +934,7 @@ for information about SSL/TLS cipher suites and preference lists.
 .It Oo Ic no Oc Ic cipher-server-preference
 Prefer the server's cipher list over the client's preferences when
 choosing a cipher for the connection;
-disabled by default.
+enabled by default.
 .It Oo Ic no Oc Ic client-renegotiation
 Allow client-initiated renegotiation;
 enabled by default.
diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h
index 3c7dc89add2..d48581240d9 100644
--- a/usr.sbin/relayd/relayd.h
+++ b/usr.sbin/relayd/relayd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relayd.h,v 1.214 2015/08/21 08:45:51 yasuoka Exp $	*/
+/*	$OpenBSD: relayd.h,v 1.215 2015/10/27 12:27:54 benno Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -676,7 +676,7 @@ TAILQ_HEAD(relay_rules, relay_rule);
 #define TLSFLAG_CIPHER_SERVER_PREF		0x20
 #define TLSFLAG_CLIENT_RENEG			0x40
 #define TLSFLAG_DEFAULT				\
-	(TLSFLAG_TLSV1_2|TLSFLAG_CLIENT_RENEG)
+	(TLSFLAG_TLSV1_2|TLSFLAG_CIPHER_SERVER_PREF|TLSFLAG_CLIENT_RENEG)
 
 #define TLSFLAG_BITS						\
 	"\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2"	\
-- 
2.20.1