Reset TLS 1.3 ciphers in SSL_CTX_set_ssl_version()

Historically SSL_CTX_set_ssl_version() has reset the cipher list to the default. Splitting TLS 1.3 ciphers to be tracked separately caused a behavior change, in that TLS 1.3 cipher configuration was preserved across calls to SSL_CTX_set_ssl_version(). To restore commensurate behavior with the historical behavior, set the ciphersuites to the default as well as setting the cipher list to the default. Closes: #7226 Reviewed-by: N Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7270)

Reset TLS 1.3 ciphers in SSL_CTX_set_ssl_version()
Historically SSL_CTX_set_ssl_version() has reset the cipher list to the default. Splitting TLS 1.3 ciphers to be tracked separately caused a behavior change, in that TLS 1.3 cipher configuration was preserved across calls to SSL_CTX_set_ssl_version(). To restore commensurate behavior with the historical behavior, set the ciphersuites to the default as well as setting the cipher list to the default. Closes: #7226 Reviewed-by: N Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7270)
2340ed27 · Benjamin Kaduk · Benjamin Kaduk · 0db957db · 2340ed27
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

ssl/ssl_lib.c ssl/ssl_lib.c +4 -0

未找到文件。
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -654,6 +654,10 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)

    ctx->method = meth;

+    if (!SSL_CTX_set_ciphersuites(ctx, TLS_DEFAULT_CIPHERSUITES)) {
+        SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
+        return 0;
+    }
    sk = ssl_create_cipher_list(ctx->method,
                                ctx->tls13_ciphersuites,
                                &(ctx->cipher_list),