From dd9b82d8fab95544b5e8117b3f59d5e41c37b61d Mon Sep 17 00:00:00 2001 From: tb Date: Sat, 5 Feb 2022 18:34:06 +0000 Subject: [PATCH] Add a workaround due to OpenSSL's limitation of SSL_CTX_set_cipher_list SSL_CTX_set_cipher_list() in OpenSSL 1.1 does not accept TLSv1.3 ciphers. This wasn't a problem until now since the AEAD- ciphers were counted as distinct from TLS_ ciphers by the regress test, so they were never used in the {run,check}-cipher-${cipher}-client-${clib}-server-${slib} tests With the renaming, the TLSv1.3 ciphers are now considered as common ciphers, so they're tested. With openssl11 this results in 0:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2573: The design of these tests doesn't allow easily adding a call to SSL_CTX_set_ciphersuites (since they also need to work with openssl 1.0.2) so skip the TLS_* ciphers for the time being. --- regress/lib/libssl/interop/cipher/Makefile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/regress/lib/libssl/interop/cipher/Makefile b/regress/lib/libssl/interop/cipher/Makefile index 77ed0f7ebef..bfe8cfea7ae 100644 --- a/regress/lib/libssl/interop/cipher/Makefile +++ b/regress/lib/libssl/interop/cipher/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.8 2022/02/05 18:21:09 tb Exp $ +# $OpenBSD: Makefile,v 1.9 2022/02/05 18:34:06 tb Exp $ # Connect a client to a server. Both can be current libressl, or # openssl 1.0.2, or openssl 1.1. Create lists of supported ciphers @@ -52,6 +52,10 @@ client-${clib}-server-${slib}.ciphers: \ uniq -d <$@.tmp >$@ # we are only interested in ciphers supported by libressl sort $@ client-libressl.ciphers >$@.tmp +. if "${clib}" == "openssl11" || "${slib}" == "openssl11" + # OpenSSL 1.1's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers + sed -i '/^TLS_/d' $@.tmp +. endif uniq -d <$@.tmp >$@ rm $@.tmp .endfor -- 2.20.1