From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Fri, 3 Nov 2017 07:40:36 +0000 (+0000)
Subject: - Fix #2362: TLS1.3/openssl-1.1.1 not working.
X-Git-Tag: release-1.7.0rc1~162
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=621b1c57a3557b9dcbd0db46c962ae795f9d8033;p=thirdparty%2Funbound.git

- Fix #2362: TLS1.3/openssl-1.1.1 not working.


git-svn-id: file:///svn/unbound/trunk@4396 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/doc/Changelog b/doc/Changelog
index 14f535804..5e9b0a8cb 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+3 November 2017: Wouter 
+	- Fix #2362: TLS1.3/openssl-1.1.1 not working.
+
 2 November 2017: Wouter 
 	- Fix #1913: ub_ctx_config is under circumstances thread-safe.
 	- make ip-transparent option work on OpenBSD.
diff --git a/util/net_help.c b/util/net_help.c
index ce136a337..d99a2f974 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -645,7 +645,7 @@ listen_sslctx_setup(void* ctxt)
 #endif
 #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
 	/* if we have sha256, set the cipher list to have no known vulns */
-	if(!SSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
+	if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
 		log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
 #endif