[openssl-commits] [openssl] master update
kaduk at mit.edu
kaduk at mit.edu
Wed Sep 19 22:02:20 UTC 2018
The branch master has been updated
via 2340ed277b7c5365e83a32eb7d5fa32c4071fb21 (commit)
from 0db957dbbcf6a432086ab913378c23636d8c374c (commit)
- Log -----------------------------------------------------------------
commit 2340ed277b7c5365e83a32eb7d5fa32c4071fb21
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date: Wed Sep 19 09:02:04 2018 -0500
Reset TLS 1.3 ciphers in SSL_CTX_set_ssl_version()
Historically SSL_CTX_set_ssl_version() has reset the cipher list
to the default. Splitting TLS 1.3 ciphers to be tracked separately
caused a behavior change, in that TLS 1.3 cipher configuration was
preserved across calls to SSL_CTX_set_ssl_version(). To restore commensurate
behavior with the historical behavior, set the ciphersuites to the default as
well as setting the cipher list to the default.
Closes: #7226
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7270)
-----------------------------------------------------------------------
Summary of changes:
ssl/ssl_lib.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index d75158e..ec5b155 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -654,6 +654,10 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
ctx->method = meth;
+ if (!SSL_CTX_set_ciphersuites(ctx, TLS_DEFAULT_CIPHERSUITES)) {
+ SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
+ return 0;
+ }
sk = ssl_create_cipher_list(ctx->method,
ctx->tls13_ciphersuites,
&(ctx->cipher_list),
More information about the openssl-commits
mailing list