diff --git a/CHANGES b/CHANGES index 21e9a39..0950646 100644 --- a/CHANGES +++ b/CHANGES @@ -189,6 +189,12 @@ Corrections: detect byte order in procan Test: EXEC_SIGINT + OpenSSL cipherlist option did not override global openssl.cnf settings. + Now SSL_CTX_set_cipher_list() is called before + SSL_CTX_use_certificate_chain_file(). + Thanks to Hiroshi Sakurai for reporting the problem and suggesting this + solution. + Coding: Introduced groups_t instead of uint32_t, for more flexibility. diff --git a/xio-openssl.c b/xio-openssl.c index 3ade1c3..98f26ac 100644 --- a/xio-openssl.c +++ b/xio-openssl.c @@ -1393,6 +1393,21 @@ cont_out: #endif } + /* set pre openssl-connect options */ + /* SSL_CIPHERS */ + if (ci_str != NULL) { + if (sycSSL_CTX_set_cipher_list(ctx, ci_str) <= 0) { + if (ERR_peek_error() == 0) + Error1("SSL_set_cipher_list(, \"%s\") failed", ci_str); + while (err = ERR_get_error()) { + Error2("SSL_set_cipher_list(, \"%s\"): %s", + ci_str, ERR_error_string(err, NULL)); + } + /*Error("SSL_new()");*/ + return STAT_RETRYLATER; + } + } + if (opt_cert) { BIO *bio; DH *dh; @@ -1438,21 +1453,6 @@ cont_out: } } - /* set pre openssl-connect options */ - /* SSL_CIPHERS */ - if (ci_str != NULL) { - if (sycSSL_CTX_set_cipher_list(ctx, ci_str) <= 0) { - if (ERR_peek_error() == 0) - Error1("SSL_set_cipher_list(, \"%s\") failed", ci_str); - while (err = ERR_get_error()) { - Error2("SSL_set_cipher_list(, \"%s\"): %s", - ci_str, ERR_error_string(err, NULL)); - } - /*Error("SSL_new()");*/ - return STAT_RETRYLATER; - } - } - if (*opt_ver) { sycSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER| SSL_VERIFY_FAIL_IF_NO_PEER_CERT,