[openssl-users] was the change in when disabled ciphers are skipped intentional?
Sam Roberts
vieuxtech at gmail.com
Fri Nov 23 19:25:27 UTC 2018
In 1.1.0j, if SSL_CTX_set_cipher_list() is called with "not-a-cipher"
or "rc4", then SSL_R_NO_CIPHER_MATCH will occur.
In 1.1.1a, set_cipher_list() suceeds, seems to return the complete
cipher list (should it do this?) but later ssl_cipher_list_to_bytes()
will find that ssl_cipher_disabled() is true for all the ciphers, and
SSL_R_NO_CIPHERS_AVAILABLE will occur.
We can work around this change, but it seems to be moving a
configuration error to a runtime error, and I'm not sure this was
intentional, or a side-effect of code cleanups. I couldn't find
mention of it in the man page or changelog.
Also, I don't understand why "not-a-cipher" matches any ciphers in
1.1.1, I'd expect the cipher list to be empty.
More information about the openssl-users
mailing list