I have a light http server (embedded software solution). This http server is calling openssl functions to handle https connexions.
I want to make the https server prioritize some ciphers. because according to the following link, the https connection is more secure when the DH cipher are prioritized:
Instead of using the RSA method for exchanging session keys, you should use the Elliptic Curve Diffie-Hellman (ECDHE) key exchange. Note that you can still use the RSA public-key cryptosystem as the encryption algorithm, just not as the key exchange algorithm. ECDHE is much faster than ordinary DH (Diffie-Hellman), but both create session keys that only the entities involved in the SSL connection can access. Because the session keys are not linked to the server’s key pair, the server’s private key alone cannot be used to decrypt any SSL session.
To enable Perfect Forward Secrecy, you must do the following:
1- Reorder your cipher suites to place the ECDHE (Elliptic Curve Diffie-Hellman) suites at the top of list, followed by the DHE (Diffie-Hellman) suites.
2- Configure servers to enable other non-DH-key-exchange cipher suites from the list of cipher suites offered by the SSL Client.
How I can change the cipher order on my openssl server to make the DH ciphers first?