/* OpenSSL 1.1.1 uses a separate API for TLS1.3 ciphersuites.
* Try to find any TLS1.3 ciphers in the given list of suites.
*/
-static void
+static int
tlso_ctx_cipher13( tlso_ctx *ctx, char *suites, char **oldsuites )
{
char tls13_suites[1024], *ts = tls13_suites, *te = tls13_suites + sizeof(tls13_suites);
char sname[128];
STACK_OF(SSL_CIPHER) *cs;
SSL *s = SSL_new( ctx );
- int ret;
+ int ret = 0;
*oldsuites = NULL;
if ( !s )
- return;
+ return ret;
*ts = '\0';
SSL_free( s );
/* If no TLS1.3 ciphersuites were specified, leave current settings untouched. */
- if ( tls13_suites[0] )
- SSL_CTX_set_ciphersuites( ctx, tls13_suites );
+ if ( tls13_suites[0] && !SSL_CTX_set_ciphersuites( ctx, tls13_suites ))
+ ret = -1;
+ return ret;
}
#endif /* OpenSSL 1.1.1 */
if ( lo->ldo_tls_ciphersuite ) {
char *oldsuites = lt->lt_ciphersuite;
#if OPENSSL_VERSION_NUMBER >= 0x10101000
- tlso_ctx_cipher13( ctx, lt->lt_ciphersuite, &oldsuites );
+ if ( tlso_ctx_cipher13( ctx, lt->lt_ciphersuite, &oldsuites ))
+ {
+ Debug1( LDAP_DEBUG_ANY,
+ "TLS: could not set TLSv1.3 cipher list %s.\n",
+ lo->ldo_tls_ciphersuite );
+ tlso_report_error( errmsg );
+ return -1;
+ }
#endif
if ( oldsuites && !SSL_CTX_set_cipher_list( ctx, oldsuites ) )
{
projects / thirdparty / openldap.git / commitdiff
