From: Stefan Eissing Date: Fri, 7 Feb 2025 10:03:18 +0000 (+0100) Subject: openssl-quic: ignore ciphers for h3 X-Git-Tag: curl-8_12_1~48 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cbf8fecda5fd70d3f5b183a43416e75dc6dad7ea;p=thirdparty%2Fcurl.git openssl-quic: ignore ciphers for h3 OpenSSL QUIC method errors on setting TLSv1.2 ciphers, where other methods do not. Refrain setting --ciphers when min TLS version is 1.3 or higher. Refrain setting --tls13-ciphers when max TLS version is less than 1.3. Add 2 test cases. Fixes #16232 Reported-by: zzq1015 on github Closes #16235 --- diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 62601a6ad2..b00fbe8b93 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3670,7 +3670,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, ctx_option_t ctx_options = 0; struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); - const long int ssl_version_min = conn_config->version; + unsigned int ssl_version_min = conn_config->version; char * const ssl_cert = ssl_config->primary.clientcert; const struct curl_blob *ssl_cert_blob = ssl_config->primary.cert_blob; const char * const ssl_cert_type = ssl_config->cert_type; @@ -3713,6 +3713,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, } break; case TRNSPRT_QUIC: + ssl_version_min = CURL_SSLVERSION_TLSv1_3; if(conn_config->version_max && (conn_config->version_max != CURL_SSLVERSION_MAX_TLSv1_3)) { failf(data, "QUIC needs at least TLS version 1.3"); @@ -3876,7 +3877,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, ciphers = conn_config->cipher_list; if(!ciphers && (peer->transport != TRNSPRT_QUIC)) ciphers = DEFAULT_CIPHER_SELECTION; - if(ciphers) { + if(ciphers && (ssl_version_min < CURL_SSLVERSION_TLSv1_3)) { if(!SSL_CTX_set_cipher_list(octx->ssl_ctx, ciphers)) { failf(data, "failed setting cipher list: %s", ciphers); return CURLE_SSL_CIPHER; @@ -3887,7 +3888,9 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES { const char *ciphers13 = conn_config->cipher_list13; - if(ciphers13) { + if(ciphers13 && + (!conn_config->version_max || + (conn_config->version_max >= CURL_SSLVERSION_MAX_TLSv1_3))) { if(!SSL_CTX_set_ciphersuites(octx->ssl_ctx, ciphers13)) { failf(data, "failed setting TLS 1.3 cipher suite: %s", ciphers13); return CURLE_SSL_CIPHER; diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py index d3d4c5db75..14bc95640b 100644 --- a/tests/http/test_17_ssl_use.py +++ b/tests/http/test_17_ssl_use.py @@ -424,3 +424,25 @@ class TestSSLUse: r = curl.http_get(url=url, alpn_proto=proto, extra_args=xargs) assert r.exit_code == 0, f'{r}' assert r.json['SSL_SESSION_RESUMED'] == 'Resumed', f'{r.json}\n{r.dump_logs()}' + + # verify the ciphers are ignored when talking TLSv1.3 only + # see issue #16232 + def test_17_16_h3_ignore_ciphers12(self, env: Env): + proto = 'h3' + if proto == 'h3' and not env.have_h3(): + pytest.skip("h3 not supported") + curl = CurlClient(env=env) + url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo' + r = curl.http_get(url=url, alpn_proto=proto, extra_args=[ + '--ciphers', 'NONSENSE' + ]) + assert r.exit_code == 0, f'{r}' + + def test_17_17_h1_ignore_ciphers13(self, env: Env): + proto = 'http/1.1' + curl = CurlClient(env=env) + url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo' + r = curl.http_get(url=url, alpn_proto=proto, extra_args=[ + '--tls13-ciphers', 'NONSENSE', '--tls-max', '1.2' + ]) + assert r.exit_code == 0, f'{r}'