From cccc65f05190adc8276d6f7a8071c8a45ca7f779 Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Mon, 3 Nov 2025 16:01:56 +0100 Subject: [PATCH] openssl: check CURL_SSLVERSION_MAX_DEFAULT properly The definition of these constants does not give a numeric ordering and MAX_DEFAULT needs to be checked in addition of ciphers and QUIC checks to apply correctly. Fixes #19340 Reported-by: Peter Piekarski Closes #19341 --- lib/vtls/openssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index c8c33198c0..f1c9e8bbd6 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -4050,6 +4050,7 @@ static CURLcode ossl_init_method(struct Curl_cfilter *cf, case TRNSPRT_QUIC: *pssl_version_min = CURL_SSLVERSION_TLSv1_3; if(conn_config->version_max && + (conn_config->version_max != CURL_SSLVERSION_MAX_DEFAULT) && (conn_config->version_max != CURL_SSLVERSION_MAX_TLSv1_3)) { failf(data, "QUIC needs at least TLS version 1.3"); return CURLE_SSL_CONNECT_ERROR; @@ -4245,6 +4246,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, const char *ciphers13 = conn_config->cipher_list13; if(ciphers13 && (!conn_config->version_max || + (conn_config->version_max == CURL_SSLVERSION_MAX_DEFAULT) || (conn_config->version_max >= CURL_SSLVERSION_MAX_TLSv1_3))) { if(!SSL_CTX_set_ciphersuites(octx->ssl_ctx, ciphers13)) { failf(data, "failed setting TLS 1.3 cipher suite: %s", ciphers13);