ITS#10094 libldap/OpenSSL: fix setting ciphersuites

Don't try old-style ciphersuite list if only v1.3 or newer ciphers were specified

libraries/libldap/tls_o.c

@@ -296,7 +296,7 @@ tlso_stecpy( char *dst, const char *src, const char *end )
  * Try to find any TLS1.3 ciphers in the given list of suites.
  */
 static void
-tlso_ctx_cipher13( tlso_ctx *ctx, char *suites )
+tlso_ctx_cipher13( tlso_ctx *ctx, char *suites, char **oldsuites )
 {
 	char tls13_suites[1024], *ts = tls13_suites, *te = tls13_suites + sizeof(tls13_suites);
 	char *ptr, *colon, *nptr;
@@ -305,6 +305,8 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites )
 	SSL *s = SSL_new( ctx );
 	int ret;
 
+	*oldsuites = NULL;
+
 	if ( !s )
 		return;
 
@@ -336,8 +338,15 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites )
 					if ( tls13_suites[0] )
 						ts = tlso_stecpy( ts, ":", te );
 					ts = tlso_stecpy( ts, nptr, te );
+				} else if (! *oldsuites) {
+					/* should never happen, set_ciphersuites should
+					 * only succeed for TLSv1.3 and above
+					 */
+					*oldsuites = ptr;
 				}
 			}
+		} else if (! *oldsuites) {
+			*oldsuites = ptr;
 		}
 		if ( !colon || ts >= te )
 			break;
@@ -417,10 +426,11 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server, char *
 	}
 
 	if ( lo->ldo_tls_ciphersuite ) {
+		char *oldsuites = lt->lt_ciphersuite;
 #if OPENSSL_VERSION_NUMBER >= 0x10101000
-		tlso_ctx_cipher13( ctx, lt->lt_ciphersuite );
+		tlso_ctx_cipher13( ctx, lt->lt_ciphersuite, &oldsuites );
 #endif
-		if ( !SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) )
+		if ( oldsuites && !SSL_CTX_set_cipher_list( ctx, oldsuites ) )
 		{
 			Debug1( LDAP_DEBUG_ANY,
 				   "TLS: could not set cipher list %s.\n",