MINOR: ssl: check TLS1.3 ciphersuites again in clienthello with recent AWS-LC

Patch ed9b8fec49 ("BUG/MEDIUM: ssl: AWS-LC + TLSv1.3 won't do ECDSA in
RSA+ECDSA configuration") partly fixed a cipher selection problem with
AWS-LC. However this was not checking anymore if the ciphersuites was
available in haproxy which is still a problem.

The problem was fixed in AWS-LC 1.46.0 with this PR
https://github.com/aws/aws-lc/pull/2092.

This patch allows to filter again the TLS13 ciphersuites with recent
versions of AWS-LC. However, since there are no macros to check the
AWS-LC version, it is enabled at the next AWS-LC API version change
following the fix in AWS-LC v1.50.0.

This could be backported where ed9b8fec49 was backported.

diff --git a/src/ssl_clienthello.c b/src/ssl_clienthello.c
index 9d2f4509357c985364d022a621918710dcef72a0..5c951a6ba993617365960975fc97f5ea5714b0fc 100644 (file)
--- a/src/ssl_clienthello.c
+++ b/src/ssl_clienthello.c
@@ -379,9 +379,11 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
                                continue;
 
                        /* check if this cipher is available in haproxy configuration */
-#if defined(OPENSSL_IS_AWSLC)
+
+#if defined(OPENSSL_IS_AWSLC) && AWSLC_API_VERSION <= 32
                         /* because AWS-LC does not provide the TLSv1.3 ciphersuites (which are NID_auth_any) in ha_ciphers,
-                         * does not check if it's available when it's an NID_auth_any
+                         * does not check if it's available when it's an NID_auth_any.
+                         * This was fixed in v1.46.0, API version changed in v1.50.0
                          */
                         if (sk_SSL_CIPHER_find(ha_ciphers, cipher) == -1 && SSL_CIPHER_get_auth_nid(cipher) != NID_auth_any)
                                continue;