From: Corinna Brandt Date: Tue, 29 Apr 2025 13:31:17 +0000 (+0200) Subject: openssl: set the cipher string before doing private cert X-Git-Tag: curl-8_14_0~174 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ea897fddfce5ee0cb665f79d033005ecf92084b7;p=thirdparty%2Fcurl.git openssl: set the cipher string before doing private cert ... as this allows a set string to affect how OpenSSL deals with the private keys/certs. Closes #17227 --- diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 96b2d88552..78aacb05fc 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3812,18 +3812,6 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, SSL_CTX_set_mode(octx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); #endif - if(ssl_cert || ssl_cert_blob || ssl_cert_type) { - if(!result && - !cert_stuff(data, octx->ssl_ctx, - ssl_cert, ssl_cert_blob, ssl_cert_type, - ssl_config->key, ssl_config->key_blob, - ssl_config->key_type, ssl_config->key_passwd)) - result = CURLE_SSL_CERTPROBLEM; - if(result) - /* failf() is already done in cert_stuff() */ - return result; - } - ciphers = conn_config->cipher_list; if(!ciphers && (peer->transport != TRNSPRT_QUIC)) ciphers = DEFAULT_CIPHER_SELECTION; @@ -3850,6 +3838,18 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, } #endif + if(ssl_cert || ssl_cert_blob || ssl_cert_type) { + if(!result && + !cert_stuff(data, octx->ssl_ctx, + ssl_cert, ssl_cert_blob, ssl_cert_type, + ssl_config->key, ssl_config->key_blob, + ssl_config->key_type, ssl_config->key_passwd)) + result = CURLE_SSL_CERTPROBLEM; + if(result) + /* failf() is already done in cert_stuff() */ + return result; + } + #ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH /* OpenSSL 1.1.1 requires clients to opt-in for PHA */ SSL_CTX_set_post_handshake_auth(octx->ssl_ctx, 1);