From: Nick Porter <nick@portercomputing.co.uk>
Date: Tue, 30 Jul 2024 09:22:52 +0000 (+0100)
Subject: If OpenSSL handshake fails during Client Hello report cipher lists
X-Git-Tag: release_3_2_6~29
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ae9bc72016ef664c0912bae37dd539d9999139e;p=thirdparty%2Ffreeradius-server.git

If OpenSSL handshake fails during Client Hello report cipher lists

Helps get to the bottom of "no shared cipher" errors.
---

diff --git a/src/main/cb.c b/src/main/cb.c
index 65e484fb54e..bfaeb35b885 100644
--- a/src/main/cb.c
+++ b/src/main/cb.c
@@ -71,6 +71,7 @@ void cbtls_info(SSL const *s, int where, int ret)
 				int num_ciphers;
 				const SSL_CIPHER *this_cipher;
 
+			report_ciphers:
 				server_ciphers = SSL_get_ciphers(s);
 				if (server_ciphers) {
 					RDEBUG3("Server preferred ciphers (by priority)");
@@ -80,7 +81,7 @@ void cbtls_info(SSL const *s, int where, int ret)
 						RDEBUG3("(TLS)    [%i] %s", i, SSL_CIPHER_get_name(this_cipher));
 					}
 				}
-	
+
 				client_ciphers = SSL_get_client_ciphers(s);
 				if (client_ciphers) {
 					RDEBUG3("(TLS) %s - Client preferred ciphers (by priority)", conf->name);
@@ -122,6 +123,9 @@ void cbtls_info(SSL const *s, int where, int ret)
 				return;
 			}
 			RERROR("(TLS) %s - %s: Error in %s", conf->name, role, state);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+			if (RDEBUG_ENABLED3 && (SSL_get_state(s) == TLS_ST_SR_CLNT_HELLO)) goto report_ciphers;
+#endif
 		}
 	}
 }