From: Howard Chu Date: Thu, 12 Oct 2023 16:22:48 +0000 (+0100) Subject: ITS#10094 libldap/OpenSSL: fix setting ciphersuites X-Git-Tag: OPENLDAP_REL_ENG_2_5_17~35 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a15bef27639c0130797baaf3aa83d153f403889e;p=thirdparty%2Fopenldap.git ITS#10094 libldap/OpenSSL: fix setting ciphersuites Don't try old-style ciphersuite list if only v1.3 or newer ciphers were specified --- diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c index d6405bc44c..4123a9b91a 100644 --- a/libraries/libldap/tls_o.c +++ b/libraries/libldap/tls_o.c @@ -294,7 +294,7 @@ tlso_stecpy( char *dst, const char *src, const char *end ) * Try to find any TLS1.3 ciphers in the given list of suites. */ static void -tlso_ctx_cipher13( tlso_ctx *ctx, char *suites ) +tlso_ctx_cipher13( tlso_ctx *ctx, char *suites, char **oldsuites ) { char tls13_suites[1024], *ts = tls13_suites, *te = tls13_suites + sizeof(tls13_suites); char *ptr, *colon, *nptr; @@ -303,6 +303,8 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites ) SSL *s = SSL_new( ctx ); int ret; + *oldsuites = NULL; + if ( !s ) return; @@ -334,8 +336,15 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites ) if ( tls13_suites[0] ) ts = tlso_stecpy( ts, ":", te ); ts = tlso_stecpy( ts, nptr, te ); + } else if (! *oldsuites) { + /* should never happen, set_ciphersuites should + * only succeed for TLSv1.3 and above + */ + *oldsuites = ptr; } } + } else if (! *oldsuites) { + *oldsuites = ptr; } if ( !colon || ts >= te ) break; @@ -415,10 +424,11 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) } if ( lo->ldo_tls_ciphersuite ) { + char *oldsuites = lt->lt_ciphersuite; #if OPENSSL_VERSION_NUMBER >= 0x10101000 - tlso_ctx_cipher13( ctx, lt->lt_ciphersuite ); + tlso_ctx_cipher13( ctx, lt->lt_ciphersuite, &oldsuites ); #endif - if ( !SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) ) + if ( oldsuites && !SSL_CTX_set_cipher_list( ctx, oldsuites ) ) { Debug1( LDAP_DEBUG_ANY, "TLS: could not set cipher list %s.\n",