From: Matt Caswell Date: Wed, 6 Nov 2024 09:53:11 +0000 (+0000) Subject: Don't complain with "no cipher match" for QUIC objects X-Git-Tag: openssl-3.3.3~110 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ba0b69c1dc767736d568338baf9c21375323cba;p=thirdparty%2Fopenssl.git Don't complain with "no cipher match" for QUIC objects Calling the functions SSL_CTX_set_cipher_list() or SSL_set_cipher_list() will return the error "no cipher match" if no TLSv1.2 (or below) ciphers are enabled after calling them. However this is normal behaviour for QUIC objects which do not support TLSv1.2 ciphers. Therefore we should suppress that error in this case. Fixes #25878 Reviewed-by: Viktor Dukhovni Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25886) (cherry picked from commit 40237bf97aeb855856e7b74ed393e1767631e1a2) --- diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 4c20ac4bf1f..956132f495d 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3337,7 +3337,7 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) */ if (sk == NULL) return 0; - else if (cipher_list_tls12_num(sk) == 0) { + if (ctx->method->num_ciphers() > 0 && cipher_list_tls12_num(sk) == 0) { ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH); return 0; } @@ -3349,17 +3349,19 @@ int SSL_set_cipher_list(SSL *s, const char *str) { STACK_OF(SSL_CIPHER) *sk; SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); + SSL_CTX *ctx; if (sc == NULL) return 0; - sk = ssl_create_cipher_list(s->ctx, sc->tls13_ciphersuites, + ctx = s->ctx; + sk = ssl_create_cipher_list(ctx, sc->tls13_ciphersuites, &sc->cipher_list, &sc->cipher_list_by_id, str, sc->cert); /* see comment in SSL_CTX_set_cipher_list */ if (sk == NULL) return 0; - else if (cipher_list_tls12_num(sk) == 0) { + if (ctx->method->num_ciphers() > 0 && cipher_list_tls12_num(sk) == 0) { ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH); return 0; }