From 24fba7b77c69d1bb92ce38bffad7630b94b336b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnter=20Obiltschnig?= Date: Sun, 1 Dec 2024 10:10:06 +0100 Subject: [PATCH] fix(NetSSL): Incorrect setting of ciphersuites for TLSv1.3 #4610 --- NetSSL_OpenSSL/include/Poco/Net/Context.h | 9 +++++++++ NetSSL_OpenSSL/src/Context.cpp | 11 +++++++---- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/NetSSL_OpenSSL/include/Poco/Net/Context.h b/NetSSL_OpenSSL/include/Poco/Net/Context.h index 41f24875e..f3de7e9f4 100644 --- a/NetSSL_OpenSSL/include/Poco/Net/Context.h +++ b/NetSSL_OpenSSL/include/Poco/Net/Context.h @@ -191,6 +191,15 @@ public: std::string cipherList; /// Specifies the supported ciphers in OpenSSL notation. /// Defaults to "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH". + /// Note: The cipher list only applies for TLS 1.2 and + /// earlier versions. To configure TLS 1.3 cipher suites, + /// please use the cipherSuites member variable. + + std::string cipherSuites; + /// Specifies the supported TLS 1.3 cipher suites. + /// If left empty, the OpenSSL default cipher suites + /// are used. Please refer to the OpenSSL documentation + /// for available cipher suite names. std::string dhParamsFile; /// Specifies a file containing Diffie-Hellman parameters. diff --git a/NetSSL_OpenSSL/src/Context.cpp b/NetSSL_OpenSSL/src/Context.cpp index 3c5e92f81..ccd1cb78c 100644 --- a/NetSSL_OpenSSL/src/Context.cpp +++ b/NetSSL_OpenSSL/src/Context.cpp @@ -189,11 +189,14 @@ void Context::init(const Params& params) else SSL_CTX_set_verify(_pSSLContext, params.verificationMode, &SSLManager::verifyClientCallback); -#if OPENSSL_VERSION_NUMBER >= 0x30000000L - SSL_CTX_set_ciphersuites(_pSSLContext, params.cipherList.c_str()); -#else +#if OPENSSL_VERSION_NUMBER >= 0x10101000L + if (!params.cipherSuites.empty()) + { + SSL_CTX_set_ciphersuites(_pSSLContext, params.cipherSuites.c_str()); + } +#endif SSL_CTX_set_cipher_list(_pSSLContext, params.cipherList.c_str()); -#endif // OPENSSL_VERSION_NUMBER >= 0x30000000L + SSL_CTX_set_verify_depth(_pSSLContext, params.verificationDepth); SSL_CTX_set_mode(_pSSLContext, SSL_MODE_AUTO_RETRY); SSL_CTX_set_session_cache_mode(_pSSLContext, SSL_SESS_CACHE_OFF);