From: David Goulet <dgoulet@torproject.org>
Date: Thu, 26 Jun 2025 16:16:45 +0000 (-0400)
Subject: Merge branch 'maint-0.4.8'
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4e3a63c13ccd40f09d2c0bcd8cae93ccfe4fb0d7;p=thirdparty%2Ftor.git

Merge branch 'maint-0.4.8'
---

4e3a63c13ccd40f09d2c0bcd8cae93ccfe4fb0d7
diff --cc configure.ac
index bf388b447b,64448ba945..ed1b92c416
--- a/configure.ac
+++ b/configure.ac
@@@ -1155,9 -1132,27 +1155,10 @@@ dnl check the openssl version number, b
  dnl confusing with LibreSSL, OpenSSL, and various distributions' patches
  dnl to them.
  AC_CHECK_FUNCS([ \
 -		ERR_load_KDF_strings \
  		EVP_PBE_scrypt \
- 		SSL_CTX_set_security_level
- 	       ])
 -		SSL_CIPHER_find \
 -		SSL_CTX_set1_groups_list \
+ 		SSL_CTX_set_security_level \
 -		SSL_SESSION_get_master_key \
 -		SSL_get_client_ciphers \
 -		SSL_get_client_random \
 -		SSL_get_server_random \
 -                SSL_set_ciphersuites \
 -		TLS_method
 -	       ])
 -
 -dnl Check if OpenSSL structures are opaque
 -AC_CHECK_MEMBERS([SSL.state], , ,
 -[#include <openssl/ssl.h>
 -])
 -
 -AC_CHECK_SIZEOF(SHA_CTX, , [AC_INCLUDES_DEFAULT()
 -#include <openssl/sha.h>
++        SSL_set_ciphersuites
+ ])
  
  fi # enable_nss
  
diff --cc src/lib/tls/tortls_openssl.c
index 120565aa62,5654f7f654..7c7ceecd0c
--- a/src/lib/tls/tortls_openssl.c
+++ b/src/lib/tls/tortls_openssl.c
@@@ -666,9 -1142,24 +672,26 @@@ tor_tls_new(tor_socket_t sock, int isSe
    }
  #endif /* defined(SSL_CTRL_SET_MAX_PROTO_VERSION) */
  
-   if (!SSL_set_cipher_list(result->ssl,
-                            isServer ? UNRESTRICTED_TLS1_2_SERVER_CIPHER_LIST
-                                     : CLIENT_CIPHER_LIST)) {
+   /* Contrary to SSL_set_cipher_list(), TLSv1.3 SSL_set_ciphersuites() does NOT
+    * accept the final ':' so we have to strip it out. */
+   size_t TLSv13len = strlen(CLIENT_CIPHER_LIST_TLSv13);
+   if (TLSv13len && CLIENT_CIPHER_LIST_TLSv13[TLSv13len - 1] == ':') {
+     CLIENT_CIPHER_LIST_TLSv13[TLSv13len - 1] = '\0';
+   }
+ 
+   const bool tls12_ciphers_ok = SSL_set_cipher_list(
 -      result->ssl, isServer ? SERVER_CIPHER_LIST : CLIENT_CIPHER_LIST);
++      result->ssl,
++      isServer ? UNRESTRICTED_TLS1_2_SERVER_CIPHER_LIST : CLIENT_CIPHER_LIST);
++
+   bool tls13_ciphers_ok = true;
+ #ifdef HAVE_SSL_SET_CIPHERSUITES
+   if (!isServer) {
+     tls13_ciphers_ok =
+       SSL_set_ciphersuites(result->ssl, CLIENT_CIPHER_LIST_TLSv13);
+   }
+ #endif
+ 
+   if (!tls12_ciphers_ok || !tls13_ciphers_ok) {
      tls_log_errors(NULL, LOG_WARN, LD_NET, "setting ciphers");
  #ifdef SSL_set_tlsext_host_name
      SSL_set_tlsext_host_name(result->ssl, NULL);