Reset TLS 1.3 ciphers in SSL_CTX_set_ssl_version()

Historically SSL_CTX_set_ssl_version() has reset the cipher list to the default. Splitting TLS 1.3 ciphers to be tracked separately caused a behavior change, in that TLS 1.3 cipher configuration was preserved across calls to SSL_CTX_set_ssl_version(). To restore commensurate behavior with the historical behavior, set the ciphersuites to the default as well as setting the cipher list to the default. Closes: #7226 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7270) (cherry picked from commit 2340ed277b7c5365e83a32eb7d5fa32c4071fb21)
author: Benjamin Kaduk <bkaduk@akamai.com> 2018-09-19 09:02:04 -0500
committer: Benjamin Kaduk <kaduk@mit.edu> 2018-09-19 17:02:36 -0500
commit: 1766493bbd92cfcee6fca068ffe972092d43892c (patch)
tree: ba730e96e969b320a3e77896e9c69407d2d27133 /ssl/ssl_lib.c
parent: f560ff623b900b2460aa043441b527e304735eb1 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index d75158e30c..ec5b1554f7 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -654,6 +654,10 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
 
     ctx->method = meth;
 
+    if (!SSL_CTX_set_ciphersuites(ctx, TLS_DEFAULT_CIPHERSUITES)) {
+        SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
+        return 0;
+    }
     sk = ssl_create_cipher_list(ctx->method,
                                 ctx->tls13_ciphersuites,
                                 &(ctx->cipher_list),
author	Benjamin Kaduk <bkaduk@akamai.com>	2018-09-19 09:02:04 -0500
committer	Benjamin Kaduk <kaduk@mit.edu>	2018-09-19 17:02:36 -0500
commit	1766493bbd92cfcee6fca068ffe972092d43892c (patch)
tree	ba730e96e969b320a3e77896e9c69407d2d27133 /ssl/ssl_lib.c
parent	f560ff623b900b2460aa043441b527e304735eb1 (diff)