zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't complain with "no cipher match" for QUIC objects

Browse Source 
Calling the functions SSL_CTX_set_cipher_list() or SSL_set_cipher_list() will
return the error "no cipher match" if no TLSv1.2 (or below) ciphers are enabled
after calling them. However this is normal behaviour for QUIC objects which do
not support TLSv1.2 ciphers. Therefore we should suppress that error in this
case.

Fixes #25878

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25886)
This commit is contained in:
Matt Caswell 2024-11-06 09:53:11 +00:00 committed by Tomas Mraz
parent e54526413d
commit 40237bf97a
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ssl/ssl_lib.c
View File

@ -3348,7 +3348,7 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
*/
if (sk == NULL)
return 0;
else if (cipher_list_tls12_num(sk) == 0) {
if (ctx->method->num_ciphers() > 0 && cipher_list_tls12_num(sk) == 0) {
ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
return 0;
}
@ -3360,17 +3360,19 @@ int SSL_set_cipher_list(SSL *s, const char *str)
{
STACK_OF(SSL_CIPHER) *sk;
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
SSL_CTX *ctx;
if (sc == NULL)
return 0;
sk = ssl_create_cipher_list(s->ctx, sc->tls13_ciphersuites,
ctx = s->ctx;
sk = ssl_create_cipher_list(ctx, sc->tls13_ciphersuites,
&sc->cipher_list, &sc->cipher_list_by_id, str,
sc->cert);
/* see comment in SSL_CTX_set_cipher_list */
if (sk == NULL)
return 0;
else if (cipher_list_tls12_num(sk) == 0) {
if (ctx->method->num_ciphers() > 0 && cipher_list_tls12_num(sk) == 0) {
ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
return 0;
}