[openssl-users] was the change in when disabled ciphers are skipped intentional?

Sam Roberts vieuxtech at gmail.com
Fri Nov 23 19:25:27 UTC 2018

In 1.1.0j, if SSL_CTX_set_cipher_list() is called with "not-a-cipher"
or "rc4", then SSL_R_NO_CIPHER_MATCH will occur.

In 1.1.1a, set_cipher_list() suceeds, seems to return the complete
cipher list (should it do this?) but later ssl_cipher_list_to_bytes()
will find that ssl_cipher_disabled() is true for all the ciphers, and

We can work around this change, but it seems to be moving a
configuration error to a runtime error, and I'm not sure this was
intentional, or a side-effect of code cleanups. I couldn't find
mention of it in the man page or changelog.

Also, I don't understand why "not-a-cipher" matches any ciphers in
1.1.1, I'd expect the cipher list to be empty.

More information about the openssl-users mailing list