Add a workaround due to OpenSSL's limitation of SSL_CTX_set_cipher_list

SSL_CTX_set_cipher_list() in OpenSSL 1.1 does not accept TLSv1.3 ciphers.
This wasn't a problem until now since the AEAD- ciphers were counted as
distinct from TLS_ ciphers by the regress test, so they were never used
in the {run,check}-cipher-${cipher}-client-${clib}-server-${slib} tests

With the renaming, the TLSv1.3 ciphers are now considered as common
ciphers, so they're tested. With openssl11 this results in

0:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2573:

The design of these tests doesn't allow easily adding a call to
SSL_CTX_set_ciphersuites (since they also need to work with openssl 1.0.2)
so skip the TLS_* ciphers for the time being.

diff --git a/regress/lib/libssl/interop/cipher/Makefile b/regress/lib/libssl/interop/cipher/Makefile
index 77ed0f7..bfe8cfe 100644 (file)
--- a/regress/lib/libssl/interop/cipher/Makefile
+++ b/regress/lib/libssl/interop/cipher/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.8 2022/02/05 18:21:09 tb Exp $
+# $OpenBSD: Makefile,v 1.9 2022/02/05 18:34:06 tb Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.0.2, or openssl 1.1.  Create lists of supported ciphers
@@ -52,6 +52,10 @@ client-${clib}-server-${slib}.ciphers: \
        uniq -d <$@.tmp >$@
        # we are only interested in ciphers supported by libressl
        sort $@ client-libressl.ciphers >$@.tmp
+. if "${clib}" == "openssl11" || "${slib}" == "openssl11"
+       # OpenSSL 1.1's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers
+       sed -i '/^TLS_/d' $@.tmp
+. endif
        uniq -d <$@.tmp >$@
        rm $@.tmp
 .endfor