harden SSL config and session

This commit is contained in:
Jeremiah Mackey
2026-04-24 16:26:26 +00:00
parent a5670d7e49
commit 31c69bfdbc
3 changed files with 25 additions and 8 deletions
+14 -4
View File
@@ -10069,11 +10069,21 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out,
#ifdef WOLFSSL_DTLS
ssl->options.dtlsStateful = 0;
#endif
#ifdef WOLFSSL_TLS13
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
ssl->options.noPskDheKe = 0;
#ifdef HAVE_SUPPORTED_CURVES
ssl->options.onlyPskDheKe = 0;
#endif
if (ssl->ctx != NULL) {
ssl->options.noPskDheKe = ssl->ctx->noPskDheKe;
#ifdef HAVE_SUPPORTED_CURVES
ssl->options.onlyPskDheKe = ssl->ctx->onlyPskDheKe;
#endif
}
else {
ssl->options.noPskDheKe = 0;
#ifdef HAVE_SUPPORTED_CURVES
ssl->options.onlyPskDheKe = 0;
#endif
}
#endif
#endif
#ifdef HAVE_SESSION_TICKET
#ifdef WOLFSSL_TLS13
+7 -4
View File
@@ -5513,10 +5513,13 @@ int wolfSSL_CTX_set_default_verify_paths(WOLFSSL_CTX* ctx)
ret = 1;
}
#else
/* OpenSSL's implementation of this API does not require loading the
* system CA cert directory. Allow skipping this without erroring out.
*/
ret = 1;
/* No source available: SSL_CERT_DIR/SSL_CERT_FILE not set and
* WOLFSSL_SYS_CA_CERTS not compiled in. Returning success would be
* fail-open since no trust anchors were loaded. */
WOLFSSL_MSG("wolfSSL_CTX_set_default_verify_paths: no CA source "
"available (build without WOLFSSL_SYS_CA_CERTS and no "
"SSL_CERT_DIR/SSL_CERT_FILE env)");
ret = WOLFSSL_FAILURE;
#endif
}
+4
View File
@@ -1598,8 +1598,12 @@ int wolfSSL_SetSession(WOLFSSL* ssl, WOLFSSL_SESSION* session)
#if !defined(OPENSSL_EXTRA) || !defined(WOLFSSL_ERROR_CODE_OPENSSL)
return WOLFSSL_FAILURE; /* session timed out */
#else /* defined(OPENSSL_EXTRA) && defined(WOLFSSL_ERROR_CODE_OPENSSL) */
/* Return success for OpenSSL compatibility but do not carry the
* expired session's version/cipher into ssl state, which would
* otherwise pin the ClientHello to stale values. */
WOLFSSL_MSG("Session is expired but return success for "
"OpenSSL compatibility");
return WOLFSSL_SUCCESS;
#endif
}
ssl->options.resuming = 1;