From 2340ed277b7c5365e83a32eb7d5fa32c4071fb21 Mon Sep 17 00:00:00 2001 From: Benjamin Kaduk Date: Wed, 19 Sep 2018 09:02:04 -0500 Subject: [PATCH] Reset TLS 1.3 ciphers in SSL_CTX_set_ssl_version() Historically SSL_CTX_set_ssl_version() has reset the cipher list to the default. Splitting TLS 1.3 ciphers to be tracked separately caused a behavior change, in that TLS 1.3 cipher configuration was preserved across calls to SSL_CTX_set_ssl_version(). To restore commensurate behavior with the historical behavior, set the ciphersuites to the default as well as setting the cipher list to the default. Closes: #7226 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7270) --- ssl/ssl_lib.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index d75158e30c..ec5b1554f7 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -654,6 +654,10 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) ctx->method = meth; + if (!SSL_CTX_set_ciphersuites(ctx, TLS_DEFAULT_CIPHERSUITES)) { + SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); + return 0; + } sk = ssl_create_cipher_list(ctx->method, ctx->tls13_ciphersuites, &(ctx->cipher_list), -- 2.25.1