From e397d1e020ba14160c3bb8819f6d3705eb7dbf5c Mon Sep 17 00:00:00 2001
From: Sara Dickinson <sara@sinodun.com>
Date: Sun, 25 Oct 2015 15:28:20 +0000
Subject: [PATCH] Fix error that was not allowing cipher suite fallback for
 opportunistic TLS.

---
 src/stub.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/stub.c b/src/stub.c
index 15fc3951..c37fb471 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -913,7 +913,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 			SSL_set_verify(ssl, SSL_VERIFY_PEER, tls_verify_callback);
 		else {
 			SSL_set_verify(ssl, SSL_VERIFY_NONE, tls_verify_callback_with_fallback);
-			SSL_CTX_set_cipher_list(context->tls_ctx, NULL);
+			SSL_set_cipher_list(ssl, "DEFAULT");
 		}
 	} else {
 		/* Lack of host name is OK unless only authenticated TLS is specified*/
@@ -926,7 +926,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 			DEBUG_STUB("--- %s, PROCEEDING WITHOUT HOSTNAME VALIDATION!!\n", __FUNCTION__);
 			upstream->tls_auth_failed = 1;
 			SSL_set_verify(ssl, SSL_VERIFY_NONE, tls_verify_callback_with_fallback);
-			SSL_CTX_set_cipher_list(context->tls_ctx, NULL);
+			SSL_set_cipher_list(ssl, "DEFAULT");
 		}
 	}