MINOR: ssl: check TLS1.3 ciphersuites again in clienthello with recent AWS-LC

Patch ed9b8fec49 ("BUG/MEDIUM: ssl: AWS-LC + TLSv1.3 won't do ECDSA in RSA+ECDSA configuration") partly fixed a cipher selection problem with AWS-LC. However this was not checking anymore if the ciphersuites was available in haproxy which is still a problem. The problem was fixed in AWS-LC 1.46.0 with this PR https://github.com/aws/aws-lc/pull/2092. This patch allows to filter again the TLS13 ciphersuites with recent versions of AWS-LC. However, since there are no macros to check the AWS-LC version, it is enabled at the next AWS-LC API version change following the fix in AWS-LC v1.50.0. This could be backported where ed9b8fec49 was backported.
2025-08-06 07:07:04 +02:00 · 2025-06-30 16:20:29 +02:00 · 2025-06-30 16:20:29 +02:00 · 7fc8ab0397
commit 7fc8ab0397
parent 4fcc9b5572
1 changed files with 4 additions and 2 deletions
--- a/src/ssl_clienthello.c
+++ b/src/ssl_clienthello.c
@ -379,9 +379,11 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 				continue;

 			/* check if this cipher is available in haproxy configuration */
-#if defined(OPENSSL_IS_AWSLC)
+
+#if defined(OPENSSL_IS_AWSLC) && AWSLC_API_VERSION <= 32
                        /* because AWS-LC does not provide the TLSv1.3 ciphersuites (which are NID_auth_any) in ha_ciphers,
-                         * does not check if it's available when it's an NID_auth_any
+                         * does not check if it's available when it's an NID_auth_any.
+                         * This was fixed in v1.46.0, API version changed in v1.50.0
                         */
                        if (sk_SSL_CIPHER_find(ha_ciphers, cipher) == -1 && SSL_CIPHER_get_auth_nid(cipher) != NID_auth_any)
 				continue;