Consider using SSL_OP_CIPHER_SERVER_PREFERENCE
With legacy/trac#11513 (moved), we gave the servers a reasonable set of ciphers to allow. On that ticket, cypherpunks notes:
By default server follows client's preference. It depends SSL_OP_CIPHER_SERVER_PREFERENCE option. Is it worth to prevent any possible client's insecure choice or to allow client to chose it's own destiny? (if something wrong with one of cipher then client's software would be updated faster) Either way, server's cipher list should be ordered for clarity, just in case and for future.
So to be clear, my understanding is that the algorithm is to take the intersection of the client's list and the server's list, and then pick the item in the intersection that appeared first on the client's order (by default) or the item in the intersection that appeared first on the server's list (if SSL_OP_CIPHER_SERVER_PREFERENCE is set on the server).
Which way shall we do it?