public/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Don't complain with "no cipher match" for QUIC objects

Browse source 
Calling the functions SSL_CTX_set_cipher_list() or SSL_set_cipher_list() will
return the error "no cipher match" if no TLSv1.2 (or below) ciphers are enabled
after calling them. However this is normal behaviour for QUIC objects which do
not support TLSv1.2 ciphers. Therefore we should suppress that error in this
case.

Fixes #25878

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25886)

(cherry picked from commit 40237bf97a)
This commit is contained in:
Matt Caswell 2024-11-06 09:53:11 +00:00 committed by Tomas Mraz
parent 690b24d6c0
commit 9ba0b69c1d
1 changed files with 5 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
ssl/ssl_lib.c
View file

@ -3337,7 +3337,7 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
*/
if (sk == NULL)
return 0;
else if (cipher_list_tls12_num(sk) == 0) {
if (ctx->method->num_ciphers() > 0 && cipher_list_tls12_num(sk) == 0) {
ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
return 0;
}
@ -3349,17 +3349,19 @@ int SSL_set_cipher_list(SSL *s, const char *str)
{
STACK_OF(SSL_CIPHER) *sk;
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
SSL_CTX *ctx;
if (sc == NULL)
return 0;
sk = ssl_create_cipher_list(s->ctx, sc->tls13_ciphersuites,
ctx = s->ctx;
sk = ssl_create_cipher_list(ctx, sc->tls13_ciphersuites,
&sc->cipher_list, &sc->cipher_list_by_id, str,
sc->cert);
/* see comment in SSL_CTX_set_cipher_list */
if (sk == NULL)
return 0;
else if (cipher_list_tls12_num(sk) == 0) {
if (ctx->method->num_ciphers() > 0 && cipher_list_tls12_num(sk) == 0) {
ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
return 0;
}