[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

kaduk at mit.edu kaduk at mit.edu
Wed Sep 19 22:21:28 UTC 2018


The branch OpenSSL_1_1_1-stable has been updated
       via  1766493bbd92cfcee6fca068ffe972092d43892c (commit)
      from  f560ff623b900b2460aa043441b527e304735eb1 (commit)


- Log -----------------------------------------------------------------
commit 1766493bbd92cfcee6fca068ffe972092d43892c
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date:   Wed Sep 19 09:02:04 2018 -0500

    Reset TLS 1.3 ciphers in SSL_CTX_set_ssl_version()
    
    Historically SSL_CTX_set_ssl_version() has reset the cipher list
    to the default.  Splitting TLS 1.3 ciphers to be tracked separately
    caused a behavior change, in that TLS 1.3 cipher configuration was
    preserved across calls to SSL_CTX_set_ssl_version().  To restore commensurate
    behavior with the historical behavior, set the ciphersuites to the default as
    well as setting the cipher list to the default.
    
    Closes: #7226
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/7270)
    
    (cherry picked from commit 2340ed277b7c5365e83a32eb7d5fa32c4071fb21)

-----------------------------------------------------------------------

Summary of changes:
 ssl/ssl_lib.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index d75158e..ec5b155 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -654,6 +654,10 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
 
     ctx->method = meth;
 
+    if (!SSL_CTX_set_ciphersuites(ctx, TLS_DEFAULT_CIPHERSUITES)) {
+        SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
+        return 0;
+    }
     sk = ssl_create_cipher_list(ctx->method,
                                 ctx->tls13_ciphersuites,
                                 &(ctx->cipher_list),


More information about the openssl-commits mailing list