Hi Pierre,

On 3/21/19 5:15 PM, Pierre Cheynier wrote:
> Any attempt to put TLS 1.3 ciphers on servers failed with output 'unable
> to set TLS 1.3 cipher suites'.
> 
> This was due to usage of SSL_CTX_set_cipher_list instead of
> SSL_CTX_set_ciphersuites in the TLS 1.3 block (protected by
> OPENSSL_VERSION_NUMBER >= 0x10101000L & so).
> 
> Signed-off-by: Pierre Cheynier <[email protected]>
> Reported-by: Damien Claisse <[email protected]>
> ---
>  src/ssl_sock.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/ssl_sock.c b/src/ssl_sock.c
> index 138b1c58c..47548edc1 100644
> --- a/src/ssl_sock.c
> +++ b/src/ssl_sock.c
> @@ -4785,7 +4785,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
>  
>  #if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL 
> && !defined LIBRESSL_VERSION_NUMBER)
>       if (srv->ssl_ctx.ciphersuites &&
> -             !SSL_CTX_set_cipher_list(srv->ssl_ctx.ctx, 
> srv->ssl_ctx.ciphersuites)) {
> +             !SSL_CTX_set_ciphersuites(srv->ssl_ctx.ctx, 
> srv->ssl_ctx.ciphersuites)) {
>               ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set TLS 
> 1.3 cipher suites to '%s'.\n",
>                        curproxy->id, srv->id,
>                        srv->conf.file, srv->conf.line, 
> srv->ssl_ctx.ciphersuites);
> 

Indeed, there is a copy-past mistake here from "ciphers".

We must merge this patch and and backport is needed on both 1.9 and 1.8.

R,
Emeric

Reply via email to