11 files changed, 48 insertions, 16 deletions

diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c
index ccd28a146a..3fa216dc1f 100644
--- a/crypto/conf/conf_mod.c
+++ b/crypto/conf/conf_mod.c
@@ -214,6 +214,7 @@ int CONF_modules_load_file_ex(OSSL_LIB_CTX *libctx, const char *filename,
 
     ret = CONF_modules_load(conf, appname, flags);
     diagnostics = conf_diagnostics(conf);
+    OSSL_LIB_CTX_set_conf_diagnostics(libctx, diagnostics);
 
  err:
     if (filename == NULL)
diff --git a/crypto/context.c b/crypto/context.c
index 3d55084d7b..fa46abab6b 100644
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -50,6 +50,7 @@ struct ossl_lib_ctx_st {
 #endif
 
     unsigned int ischild:1;
+    unsigned int conf_diagnostics:1;
 };
 
 int ossl_lib_ctx_write_lock(OSSL_LIB_CTX *ctx)
@@ -666,3 +667,19 @@ CRYPTO_THREAD_LOCAL *ossl_lib_ctx_get_rcukey(OSSL_LIB_CTX *libctx)
         return NULL;
     return &libctx->rcu_local_key;
 }
+
+int OSSL_LIB_CTX_get_conf_diagnostics(OSSL_LIB_CTX *libctx)
+{
+    libctx = ossl_lib_ctx_get_concrete(libctx);
+    if (libctx == NULL)
+        return 0;
+    return libctx->conf_diagnostics;
+}
+
+void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *libctx, unsigned int value)
+{
+    libctx = ossl_lib_ctx_get_concrete(libctx);
+    if (libctx == NULL)
+        return;
+    libctx->conf_diagnostics = value != 0;
+}
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 5102c481e3..0584f687c9 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1400,6 +1400,7 @@ SSL_R_EMPTY_RAW_PUBLIC_KEY:349:empty raw public key
 SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST:354:empty srtp protection profile list
 SSL_R_ENCRYPTED_LENGTH_TOO_LONG:150:encrypted length too long
 SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST:151:error in received cipher list
+SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG:419:error in system default config
 SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN:204:error setting tlsa base domain
 SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE:194:exceeds max fragment size
 SSL_R_EXCESSIVE_MESSAGE_SIZE:152:excessive message size
diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in
index 5d7d3fd2e1..04d99e2092 100644
--- a/include/openssl/crypto.h.in
+++ b/include/openssl/crypto.h.in
@@ -536,6 +536,8 @@ int OSSL_LIB_CTX_load_config(OSSL_LIB_CTX *ctx, const char *config_file);
 void OSSL_LIB_CTX_free(OSSL_LIB_CTX *);
 OSSL_LIB_CTX *OSSL_LIB_CTX_get0_global_default(void);
 OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *libctx);
+int OSSL_LIB_CTX_get_conf_diagnostics(OSSL_LIB_CTX *ctx);
+void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *ctx, unsigned int value);
 
 void OSSL_sleep(uint64_t millis);
 
diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
index 980a6c7b2f..16305674ca 100644
--- a/include/openssl/sslerr.h
+++ b/include/openssl/sslerr.h
@@ -117,6 +117,7 @@
 # define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST         354
 # define SSL_R_ENCRYPTED_LENGTH_TOO_LONG                  150
 # define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST              151
+# define SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG             419
 # define SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN             204
 # define SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE                  194
 # define SSL_R_EXCESSIVE_MESSAGE_SIZE                     152
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index a1da9fde39..ddd0e2a36a 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -164,6 +164,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
     "encrypted length too long"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),
     "error in received cipher list"},
+    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG),
+    "error in system default config"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN),
     "error setting tlsa base domain"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE),
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index ed3522c7f5..6af23612ee 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -4096,7 +4096,10 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
     /* By default we send two session tickets automatically in TLSv1.3 */
     ret->num_tickets = 2;
 
-    ssl_ctx_system_config(ret);
+    if (!ssl_ctx_system_config(ret)) {
+        ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG);
+        goto err;
+    }
 
     return ret;
  err:
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index f448cfdbc9..78e16354e0 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -2919,7 +2919,7 @@ void custom_exts_free(custom_ext_methods *exts);
 void ssl_comp_free_compression_methods_int(void);
 
 /* ssl_mcnf.c */
-void ssl_ctx_system_config(SSL_CTX *ctx);
+int ssl_ctx_system_config(SSL_CTX *ctx);
 
 const EVP_CIPHER *ssl_evp_cipher_fetch(OSSL_LIB_CTX *libctx,
                                        int nid,
diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c
index 8bccce84d4..66416b61cf 100644
--- a/ssl/ssl_mcnf.c
+++ b/ssl/ssl_mcnf.c
@@ -26,6 +26,7 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
     size_t i, idx, cmd_count;
     int err = 1;
     unsigned int flags;
+    unsigned int conf_diagnostics = 0;
     const SSL_METHOD *meth;
     const SSL_CONF_CMD *cmds;
     OSSL_LIB_CTX *prev_libctx = NULL;
@@ -46,8 +47,11 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
     }
     cmds = conf_ssl_get(idx, &name, &cmd_count);
     cctx = SSL_CONF_CTX_new();
-    if (cctx == NULL)
+    if (cctx == NULL) {
+        /* this is a fatal error, always report */
+        system = 0;
         goto err;
+    }
     flags = SSL_CONF_FLAG_FILE;
     if (!system)
         flags |= SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE;
@@ -60,6 +64,7 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
         SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
         libctx = ctx->libctx;
     }
+    conf_diagnostics = OSSL_LIB_CTX_get_conf_diagnostics(libctx);
     if (meth->ssl_accept != ssl_undefined_function)
         flags |= SSL_CONF_FLAG_SERVER;
     if (meth->ssl_connect != ssl_undefined_function)
@@ -81,7 +86,7 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
  err:
     OSSL_LIB_CTX_set0_default(prev_libctx);
     SSL_CONF_CTX_free(cctx);
-    return err == 0;
+    return err == 0 || (system && !conf_diagnostics);
 }
 
 int SSL_config(SSL *s, const char *name)
@@ -94,7 +99,7 @@ int SSL_CTX_config(SSL_CTX *ctx, const char *name)
     return ssl_do_config(NULL, ctx, name, 0);
 }
 
-void ssl_ctx_system_config(SSL_CTX *ctx)
+int ssl_ctx_system_config(SSL_CTX *ctx)
 {
-    ssl_do_config(NULL, ctx, NULL, 1);
+    return ssl_do_config(NULL, ctx, NULL, 1);
 }
diff --git a/test/sysdefaulttest.c b/test/sysdefaulttest.c
index 350867cdcd..5cd09bd08c 100644
--- a/test/sysdefaulttest.c
+++ b/test/sysdefaulttest.c
@@ -16,16 +16,21 @@
 #include <openssl/tls1.h>
 #include "testutil.h"
 
-static SSL_CTX *ctx;
 
 static int test_func(void)
 {
+    int ret = 1;
+    SSL_CTX *ctx;
+
+    if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method())))
+        return 0;
     if (!TEST_int_eq(SSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION)
         && !TEST_int_eq(SSL_CTX_get_max_proto_version(ctx), TLS1_2_VERSION)) {
         TEST_info("min/max version setting incorrect");
-        return 0;
+        ret = 0;
     }
-    return 1;
+    SSL_CTX_free(ctx);
+    return ret;
 }
 
 int global_init(void)
@@ -38,13 +43,6 @@ int global_init(void)
 
 int setup_tests(void)
 {
-    if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method())))
-        return 0;
     ADD_TEST(test_func);
     return 1;
 }
-
-void cleanup_tests(void)
-{
-    SSL_CTX_free(ctx);
-}
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 3f52107eda..a5f9bb32cb 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5644,3 +5644,5 @@ OSSL_IETF_ATTR_SYNTAX_get0_value        ?	3_4_0	EXIST::FUNCTION:
 OSSL_IETF_ATTR_SYNTAX_add1_value        ?	3_4_0	EXIST::FUNCTION:
 OSSL_IETF_ATTR_SYNTAX_print             ?	3_4_0	EXIST::FUNCTION:
 X509_ACERT_add_attr_nconf               ?	3_4_0	EXIST::FUNCTION:
+OSSL_LIB_CTX_get_conf_diagnostics       ?	3_4_0	EXIST::FUNCTION:
+OSSL_LIB_CTX_set_conf_diagnostics       ?	3_4_0	EXIST::FUNCTION: