From 40237bf97aeb855856e7b74ed393e1767631e1a2 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 6 Nov 2024 09:53:11 +0000 Subject: [PATCH] Don't complain with "no cipher match" for QUIC objects Calling the functions SSL_CTX_set_cipher_list() or SSL_set_cipher_list() will return the error "no cipher match" if no TLSv1.2 (or below) ciphers are enabled after calling them. However this is normal behaviour for QUIC objects which do not support TLSv1.2 ciphers. Therefore we should suppress that error in this case. Fixes #25878 Reviewed-by: Viktor Dukhovni Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25886) --- ssl/ssl_lib.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 11dc4f95643..fe14fbfdd38 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3348,7 +3348,7 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) */ if (sk == NULL) return 0; - else if (cipher_list_tls12_num(sk) == 0) { + if (ctx->method->num_ciphers() > 0 && cipher_list_tls12_num(sk) == 0) { ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH); return 0; } @@ -3360,17 +3360,19 @@ int SSL_set_cipher_list(SSL *s, const char *str) { STACK_OF(SSL_CIPHER) *sk; SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); + SSL_CTX *ctx; if (sc == NULL) return 0; - sk = ssl_create_cipher_list(s->ctx, sc->tls13_ciphersuites, + ctx = s->ctx; + sk = ssl_create_cipher_list(ctx, sc->tls13_ciphersuites, &sc->cipher_list, &sc->cipher_list_by_id, str, sc->cert); /* see comment in SSL_CTX_set_cipher_list */ if (sk == NULL) return 0; - else if (cipher_list_tls12_num(sk) == 0) { + if (ctx->method->num_ciphers() > 0 && cipher_list_tls12_num(sk) == 0) { ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH); return 0; } -- 2.47.2