Don't complain with "no cipher match" for QUIC objects

Calling the functions SSL_CTX_set_cipher_list() or SSL_set_cipher_list() will return the error "no cipher match" if no TLSv1.2 (or below) ciphers are enabled after calling them. However this is normal behaviour for QUIC objects which do not support TLSv1.2 ciphers. Therefore we should suppress that error in this case. Fixes openssl#25878 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#25886) (cherry picked from commit 40237bf)
siemens · Nov 8, 2024 · e5487c4 · e5487c4
1 parent 1181bc5
commit e5487c4
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
@@ -3342,7 +3342,7 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
      */
     if (sk == NULL)
         return 0;
-    else if (cipher_list_tls12_num(sk) == 0) {
+    if (ctx->method->num_ciphers() > 0 && cipher_list_tls12_num(sk) == 0) {
         ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
         return 0;
     }
@@ -3354,17 +3354,19 @@ int SSL_set_cipher_list(SSL *s, const char *str)
 {
     STACK_OF(SSL_CIPHER) *sk;
     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
+    SSL_CTX *ctx;
 
     if (sc == NULL)
         return 0;
 
-    sk = ssl_create_cipher_list(s->ctx, sc->tls13_ciphersuites,
+    ctx = s->ctx;
+    sk = ssl_create_cipher_list(ctx, sc->tls13_ciphersuites,
                                 &sc->cipher_list, &sc->cipher_list_by_id, str,
                                 sc->cert);
     /* see comment in SSL_CTX_set_cipher_list */
     if (sk == NULL)
         return 0;
-    else if (cipher_list_tls12_num(sk) == 0) {
+    if (ctx->method->num_ciphers() > 0 && cipher_list_tls12_num(sk) == 0) {
         ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
         return 0;
     }