wolfssl: fix cipher list, skip 5.8.4 regression

- adjust cipher list in infof() statement for min/max TLS version - skip test_17_07 for wolfSSL 5.8.4 when CHACHA20 is negotiated due to regression with homebrew build on ARM systems. Fixes #19644 Reported-by: Viktor Szakats Closes #19662
2026-05-30 06:17:28 +03:00 · 2025-11-23 16:59:40 +01:00 · 2025-11-23 16:59:40 +01:00 · 29b3b1ae6d
commit 29b3b1ae6d
parent 74f7505974
2 changed files with 35 additions and 21 deletions
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@ -1043,62 +1043,69 @@ static CURLcode client_certificate(struct Curl_easy *data,

 static CURLcode ssl_version(struct Curl_easy *data,
                            struct ssl_primary_config *conn_config,
-                            struct wssl_ctx *wctx)
+                            struct wssl_ctx *wctx,
+                            int *min_version, int *max_version)
 {
  int res;
+  *min_version = *max_version = 0;
  switch(conn_config->version) {
  case CURL_SSLVERSION_DEFAULT:
  case CURL_SSLVERSION_TLSv1:
  case CURL_SSLVERSION_TLSv1_0:
-    res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_VERSION);
+    *min_version = TLS1_VERSION;
    break;
  case CURL_SSLVERSION_TLSv1_1:
-    res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_1_VERSION);
+    *min_version = TLS1_1_VERSION;
    break;
  case CURL_SSLVERSION_TLSv1_2:
-    res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_2_VERSION);
+    *min_version = TLS1_2_VERSION;
    break;
 #ifdef WOLFSSL_TLS13
  case CURL_SSLVERSION_TLSv1_3:
-    res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_3_VERSION);
+    *min_version = TLS1_3_VERSION;
    break;
 #endif
  default:
    failf(data, "wolfSSL: unsupported minimum TLS version value");
    return CURLE_SSL_CONNECT_ERROR;
  }
-  if(res != WOLFSSL_SUCCESS) {
-    failf(data, "wolfSSL: failed set the minimum TLS version");
-    return CURLE_SSL_CONNECT_ERROR;
-  }

  switch(conn_config->version_max) {
 #ifdef WOLFSSL_TLS13
  case CURL_SSLVERSION_MAX_TLSv1_3:
-    res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_3_VERSION);
+    *max_version = TLS1_3_VERSION;
    break;
 #endif
  case CURL_SSLVERSION_MAX_TLSv1_2:
-    res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_2_VERSION);
+    *max_version = TLS1_2_VERSION;
    break;
  case CURL_SSLVERSION_MAX_TLSv1_1:
-    res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_1_VERSION);
+    *max_version = TLS1_1_VERSION;
    break;
  case CURL_SSLVERSION_MAX_TLSv1_0:
-    res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_VERSION);
+    *max_version = TLS1_VERSION;
    break;
  case CURL_SSLVERSION_MAX_DEFAULT:
  case CURL_SSLVERSION_MAX_NONE:
-    res = WOLFSSL_SUCCESS;
    break;
  default:
    failf(data, "wolfSSL: unsupported maximum TLS version value");
    return CURLE_SSL_CONNECT_ERROR;
  }
+
+  res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, *min_version);
  if(res != WOLFSSL_SUCCESS) {
-    failf(data, "wolfSSL: failed set the maximum TLS version");
+    failf(data, "wolfSSL: failed set the minimum TLS version");
    return CURLE_SSL_CONNECT_ERROR;
  }
+
+  if(*max_version) {
+    res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, *max_version);
+    if(res != WOLFSSL_SUCCESS) {
+      failf(data, "wolfSSL: failed set the maximum TLS version");
+      return CURLE_SSL_CONNECT_ERROR;
+    }
+  }
  return CURLE_OK;
 }

@ -1126,6 +1133,7 @@ CURLcode Curl_wssl_ctx_init(struct wssl_ctx *wctx,
 #endif
  CURLcode result = CURLE_FAILED_INIT;
  unsigned char transport;
+  int tls_min, tls_max;

  DEBUGASSERT(!wctx->ssl_ctx);
  DEBUGASSERT(!wctx->ssl);
@ -1159,7 +1167,7 @@ CURLcode Curl_wssl_ctx_init(struct wssl_ctx *wctx,
    goto out;
  }

-  result = ssl_version(data, conn_config, wctx);
+  result = ssl_version(data, conn_config, wctx, &tls_min, &tls_max);
  if(result)
    goto out;

@ -1183,12 +1191,14 @@ CURLcode Curl_wssl_ctx_init(struct wssl_ctx *wctx,
    struct dynbuf c;
    curlx_dyn_init(&c, MAX_CIPHER_LEN);

-    if(ciphers13)
-      result = curlx_dyn_add(&c, ciphers13);
-    else
-      result = wssl_add_default_ciphers(TRUE, &c);
+    if(!tls_max || (tls_max >= TLS1_3_VERSION)) {
+      if(ciphers13)
+        result = curlx_dyn_add(&c, ciphers13);
+      else
+        result = wssl_add_default_ciphers(TRUE, &c);
+    }

-    if(!result) {
+    if(!result && (tls_min < TLS1_3_VERSION)) {
      if(ciphers12) {
        if(curlx_dyn_len(&c))
          result = curlx_dyn_addn(&c, ":", 1);
--- a/tests/http/test_17_ssl_use.py
+++ b/tests/http/test_17_ssl_use.py
@ -258,6 +258,10 @@ class TestSSLUse:
        curl = CurlClient(env=env)
        url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
        # SSL backend specifics
+        # see wolfSSL/wolfssl#9462
+        if env.curl_uses_lib('wolfssl') and env.curl_lib_version('wolfssl') == '5.8.4' \
+           and ciphers13 and 'TLS_CHACHA20_POLY1305_SHA256' in ciphers13:
+            pytest.skip('wolfSSL 5.8.4 is borked on ARM with CHACHA20')
        if env.curl_uses_lib('gnutls'):
            pytest.skip('GnuTLS does not support setting ciphers')
        elif env.curl_uses_lib('boringssl'):