SSL_CTX_free( c );
}
+#if OPENSSL_VERSION_NUMBER >= 0x10101000
+static char *
+tlso_stecpy( char *dst, const char *src, const char *end )
+{
+ while ( dst < end && *src )
+ *dst++ = *src++;
+ if ( dst < end )
+ *dst = '\0';
+ return dst;
+}
+
+/* OpenSSL 1.1.1 uses a separate API for TLS1.3 ciphersuites.
+ * Try to find any TLS1.3 ciphers in the given list of suites.
+ */
+static void
+tlso_ctx_cipher13( tlso_ctx *ctx, char *suites )
+{
+ char tls13_suites[1024], *ts = tls13_suites, *te = tls13_suites + sizeof(tls13_suites);
+ char *ptr, *colon, *nptr;
+ char sname[128];
+ int ret;
+
+ *ts = '\0';
+ for ( ptr = suites;; ) {
+ colon = strchr( ptr, ':' );
+ if ( colon ) {
+ int len = colon - ptr;
+ if ( len > 63 ) len = 63;
+ strncpy( sname, ptr, len );
+ sname[len] = '\0';
+ nptr = sname;
+ } else {
+ nptr = ptr;
+ }
+ if ( SSL_CTX_set_ciphersuites( ctx, nptr )) {
+ if ( tls13_suites[0] )
+ ts = tlso_stecpy( ts, ":", te );
+ ts = tlso_stecpy( ts, sname, te );
+ }
+ if ( !colon || ts >= te )
+ break;
+ ptr = colon+1;
+ }
+ SSL_CTX_set_ciphersuites( ctx, tls13_suites );
+}
+#endif /* OpenSSL 1.1.1 TLS 1.3 */
+
/*
* initialize a new TLS context
*/
else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 )
SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 );
- if ( lo->ldo_tls_ciphersuite &&
- !SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) )
- {
- Debug( LDAP_DEBUG_ANY,
- "TLS: could not set cipher list %s.\n",
- lo->ldo_tls_ciphersuite, 0, 0 );
- tlso_report_error();
- return -1;
+ if ( lo->ldo_tls_ciphersuite ) {
+#if OPENSSL_VERSION_NUMBER >= 0x10101000
+ tlso_ctx_cipher13( ctx, lt->lt_ciphersuite );
+#endif /* OpenSSL 1.1.1 */
+ if ( !SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) )
+ {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not set cipher list %s.\n",
+ lo->ldo_tls_ciphersuite, 0, 0 );
+ tlso_report_error();
+ return -1;
+ }
}
if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) {
projects / thirdparty / openldap.git / commitdiff
