From ea897fddfce5ee0cb665f79d033005ecf92084b7 Mon Sep 17 00:00:00 2001 From: Corinna Brandt Date: Tue, 29 Apr 2025 15:31:17 +0200 Subject: [PATCH] openssl: set the cipher string before doing private cert ... as this allows a set string to affect how OpenSSL deals with the private keys/certs. Closes #17227 --- lib/vtls/openssl.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 96b2d88552..78aacb05fc 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3812,18 +3812,6 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, SSL_CTX_set_mode(octx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); #endif - if(ssl_cert || ssl_cert_blob || ssl_cert_type) { - if(!result && - !cert_stuff(data, octx->ssl_ctx, - ssl_cert, ssl_cert_blob, ssl_cert_type, - ssl_config->key, ssl_config->key_blob, - ssl_config->key_type, ssl_config->key_passwd)) - result = CURLE_SSL_CERTPROBLEM; - if(result) - /* failf() is already done in cert_stuff() */ - return result; - } - ciphers = conn_config->cipher_list; if(!ciphers && (peer->transport != TRNSPRT_QUIC)) ciphers = DEFAULT_CIPHER_SELECTION; @@ -3850,6 +3838,18 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, } #endif + if(ssl_cert || ssl_cert_blob || ssl_cert_type) { + if(!result && + !cert_stuff(data, octx->ssl_ctx, + ssl_cert, ssl_cert_blob, ssl_cert_type, + ssl_config->key, ssl_config->key_blob, + ssl_config->key_type, ssl_config->key_passwd)) + result = CURLE_SSL_CERTPROBLEM; + if(result) + /* failf() is already done in cert_stuff() */ + return result; + } + #ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH /* OpenSSL 1.1.1 requires clients to opt-in for PHA */ SSL_CTX_set_post_handshake_auth(octx->ssl_ctx, 1); -- 2.47.3