Hi Pierre, On 3/21/19 5:15 PM, Pierre Cheynier wrote: > Any attempt to put TLS 1.3 ciphers on servers failed with output 'unable > to set TLS 1.3 cipher suites'. > > This was due to usage of SSL_CTX_set_cipher_list instead of > SSL_CTX_set_ciphersuites in the TLS 1.3 block (protected by > OPENSSL_VERSION_NUMBER >= 0x10101000L & so). > > Signed-off-by: Pierre Cheynier <[email protected]> > Reported-by: Damien Claisse <[email protected]> > --- > src/ssl_sock.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/ssl_sock.c b/src/ssl_sock.c > index 138b1c58c..47548edc1 100644 > --- a/src/ssl_sock.c > +++ b/src/ssl_sock.c > @@ -4785,7 +4785,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv) > > #if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL > && !defined LIBRESSL_VERSION_NUMBER) > if (srv->ssl_ctx.ciphersuites && > - !SSL_CTX_set_cipher_list(srv->ssl_ctx.ctx, > srv->ssl_ctx.ciphersuites)) { > + !SSL_CTX_set_ciphersuites(srv->ssl_ctx.ctx, > srv->ssl_ctx.ciphersuites)) { > ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set TLS > 1.3 cipher suites to '%s'.\n", > curproxy->id, srv->id, > srv->conf.file, srv->conf.line, > srv->ssl_ctx.ciphersuites); >
Indeed, there is a copy-past mistake here from "ciphers". We must merge this patch and and backport is needed on both 1.9 and 1.8. R, Emeric

