Consistently order ECDHE_ECDSA over ECDHE_RSA. Currently we don't express an opinion. Most sites aren't likely to have a choice since it depends on what certificates they have available. But we may as well order them. Change-Id: I4fffa5e392f42e19823cb8faa2e9e15a6bb91086 Reviewed-on: https://boringssl-review.googlesource.com/2607 Reviewed-by: Adam Langley <agl@google.com>

commit: 9cf708807c3dac2ddab893410af82423ac266830 [log] [tgz]
author: David Benjamin <davidben@chromium.org> Mon Dec 15 21:38:54 2014 -0500
committer: Adam Langley <agl@google.com> Tue Dec 16 02:56:36 2014 +0000
tree: bf161ed10809f7f08baeb87b39c86699b914b1b7
parent: 248197585709b064007d9847baf9a7ef42a55f73 [diff]
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 37c7e43..d5039cc 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c

@@ -1031,7 +1031,9 @@
 	/* Now arrange all ciphers by preference:
 	 * TODO(davidben): Compute this order once and copy it. */
 
-	/* Everything else being equal, prefer ephemeral ECDH over other key exchange mechanisms */
+	/* Everything else being equal, prefer ECDHE_ECDSA then ECDHE_RSA over
+         * other key exchange mechanisms */
+	ssl_cipher_apply_rule(0, SSL_kEECDH, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail);
 	ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail);
 	ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head, &tail);
commit	9cf708807c3dac2ddab893410af82423ac266830	[log] [tgz]
author	David Benjamin <davidben@chromium.org>	Mon Dec 15 21:38:54 2014 -0500
committer	Adam Langley <agl@google.com>	Tue Dec 16 02:56:36 2014 +0000
tree	bf161ed10809f7f08baeb87b39c86699b914b1b7
parent	248197585709b064007d9847baf9a7ef42a55f73 [diff]