From: William Lallemand Date: Mon, 30 Jun 2025 14:20:29 +0000 (+0200) Subject: MINOR: ssl: check TLS1.3 ciphersuites again in clienthello with recent AWS-LC X-Git-Tag: v3.3-dev3~71 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7fc8ab0397f01c58a31f203b4d97c79cff3ae244;p=thirdparty%2Fhaproxy.git MINOR: ssl: check TLS1.3 ciphersuites again in clienthello with recent AWS-LC Patch ed9b8fec49 ("BUG/MEDIUM: ssl: AWS-LC + TLSv1.3 won't do ECDSA in RSA+ECDSA configuration") partly fixed a cipher selection problem with AWS-LC. However this was not checking anymore if the ciphersuites was available in haproxy which is still a problem. The problem was fixed in AWS-LC 1.46.0 with this PR https://github.com/aws/aws-lc/pull/2092. This patch allows to filter again the TLS13 ciphersuites with recent versions of AWS-LC. However, since there are no macros to check the AWS-LC version, it is enabled at the next AWS-LC API version change following the fix in AWS-LC v1.50.0. This could be backported where ed9b8fec49 was backported. --- diff --git a/src/ssl_clienthello.c b/src/ssl_clienthello.c index 9d2f45093..5c951a6ba 100644 --- a/src/ssl_clienthello.c +++ b/src/ssl_clienthello.c @@ -379,9 +379,11 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg) continue; /* check if this cipher is available in haproxy configuration */ -#if defined(OPENSSL_IS_AWSLC) + +#if defined(OPENSSL_IS_AWSLC) && AWSLC_API_VERSION <= 32 /* because AWS-LC does not provide the TLSv1.3 ciphersuites (which are NID_auth_any) in ha_ciphers, - * does not check if it's available when it's an NID_auth_any + * does not check if it's available when it's an NID_auth_any. + * This was fixed in v1.46.0, API version changed in v1.50.0 */ if (sk_SSL_CIPHER_find(ha_ciphers, cipher) == -1 && SSL_CIPHER_get_auth_nid(cipher) != NID_auth_any) continue;