Commit cd3567d7 authored by Howard Chu's avatar Howard Chu
Browse files

ITS#9521 additional ciphersuite fixes

Actually check version of matched ciphersuite names.
Also, don't change existing TLS1.3 suites if none are specified
in the new suite string. Avoids ITS#9546.
parent 4993b343
......@@ -295,9 +295,22 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites )
char tls13_suites[1024], *ts = tls13_suites, *te = tls13_suites + sizeof(tls13_suites);
char *ptr, *colon, *nptr;
char sname[128];
STACK_OF(SSL_CIPHER) *cs;
SSL *s = SSL_new( ctx );
int ret;
if ( !s )
return;
*ts = '\0';
/* check individual suites in a separate SSL handle before
* mucking with the provided ctx. Init it to a known
* mostly-empty state.
*/
SSL_set_ciphersuites( s, "" );
SSL_set_cipher_list( s, SSL3_TXT_RSA_NULL_SHA );
for ( ptr = suites;; ) {
colon = strchr( ptr, ':' );
if ( colon ) {
......@@ -309,16 +322,26 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites )
} else {
nptr = ptr;
}
if ( SSL_CTX_set_ciphersuites( ctx, nptr )) {
if ( tls13_suites[0] )
ts = tlso_stecpy( ts, ":", te );
ts = tlso_stecpy( ts, sname, te );
if ( SSL_set_ciphersuites( s, nptr )) {
cs = SSL_get_ciphers( s );
if ( cs ) {
const char *ver = SSL_CIPHER_get_version( sk_SSL_CIPHER_value( cs, 0 ));
if ( !strncmp( ver, "TLSv", 4 ) && strncmp( ver+4, "1.3", 3 ) >= 0 ) {
if ( tls13_suites[0] )
ts = tlso_stecpy( ts, ":", te );
ts = tlso_stecpy( ts, sname, te );
}
}
}
if ( !colon || ts >= te )
break;
ptr = colon+1;
}
SSL_CTX_set_ciphersuites( ctx, tls13_suites );
SSL_free( s );
/* If no TLS1.3 ciphersuites were specified, leave current settings untouched. */
if ( tls13_suites[0] )
SSL_CTX_set_ciphersuites( ctx, tls13_suites );
}
#endif /* OpenSSL 1.1.1 */
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment