From: Howard Chu Date: Thu, 12 Oct 2023 16:22:48 +0000 (+0100) Subject: ITS#10094 libldap/OpenSSL: fix setting ciphersuites X-Git-Tag: OPENLDAP_REL_ENG_2_6_7~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=70be1f177d25fd3077ecc054ed09674e77f25a26;p=thirdparty%2Fopenldap.git ITS#10094 libldap/OpenSSL: fix setting ciphersuites Don't try old-style ciphersuite list if only v1.3 or newer ciphers were specified --- diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c index 8f1d84efa1..abc1317778 100644 --- a/libraries/libldap/tls_o.c +++ b/libraries/libldap/tls_o.c @@ -296,7 +296,7 @@ tlso_stecpy( char *dst, const char *src, const char *end ) * Try to find any TLS1.3 ciphers in the given list of suites. */ static void -tlso_ctx_cipher13( tlso_ctx *ctx, char *suites ) +tlso_ctx_cipher13( tlso_ctx *ctx, char *suites, char **oldsuites ) { char tls13_suites[1024], *ts = tls13_suites, *te = tls13_suites + sizeof(tls13_suites); char *ptr, *colon, *nptr; @@ -305,6 +305,8 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites ) SSL *s = SSL_new( ctx ); int ret; + *oldsuites = NULL; + if ( !s ) return; @@ -336,8 +338,15 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites ) if ( tls13_suites[0] ) ts = tlso_stecpy( ts, ":", te ); ts = tlso_stecpy( ts, nptr, te ); + } else if (! *oldsuites) { + /* should never happen, set_ciphersuites should + * only succeed for TLSv1.3 and above + */ + *oldsuites = ptr; } } + } else if (! *oldsuites) { + *oldsuites = ptr; } if ( !colon || ts >= te ) break; @@ -417,10 +426,11 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server, char * } if ( lo->ldo_tls_ciphersuite ) { + char *oldsuites = lt->lt_ciphersuite; #if OPENSSL_VERSION_NUMBER >= 0x10101000 - tlso_ctx_cipher13( ctx, lt->lt_ciphersuite ); + tlso_ctx_cipher13( ctx, lt->lt_ciphersuite, &oldsuites ); #endif - if ( !SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) ) + if ( oldsuites && !SSL_CTX_set_cipher_list( ctx, oldsuites ) ) { Debug1( LDAP_DEBUG_ANY, "TLS: could not set cipher list %s.\n",