diff --git a/src/ssl.c b/src/ssl.c index bc7e6074c8..b3cd4beb1f 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10069,11 +10069,21 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, #ifdef WOLFSSL_DTLS ssl->options.dtlsStateful = 0; #endif + #ifdef WOLFSSL_TLS13 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) - ssl->options.noPskDheKe = 0; - #ifdef HAVE_SUPPORTED_CURVES - ssl->options.onlyPskDheKe = 0; - #endif + if (ssl->ctx != NULL) { + ssl->options.noPskDheKe = ssl->ctx->noPskDheKe; + #ifdef HAVE_SUPPORTED_CURVES + ssl->options.onlyPskDheKe = ssl->ctx->onlyPskDheKe; + #endif + } + else { + ssl->options.noPskDheKe = 0; + #ifdef HAVE_SUPPORTED_CURVES + ssl->options.onlyPskDheKe = 0; + #endif + } + #endif #endif #ifdef HAVE_SESSION_TICKET #ifdef WOLFSSL_TLS13 diff --git a/src/ssl_load.c b/src/ssl_load.c index 2841f22e8e..cada9e7560 100644 --- a/src/ssl_load.c +++ b/src/ssl_load.c @@ -5513,10 +5513,13 @@ int wolfSSL_CTX_set_default_verify_paths(WOLFSSL_CTX* ctx) ret = 1; } #else - /* OpenSSL's implementation of this API does not require loading the - * system CA cert directory. Allow skipping this without erroring out. - */ - ret = 1; + /* No source available: SSL_CERT_DIR/SSL_CERT_FILE not set and + * WOLFSSL_SYS_CA_CERTS not compiled in. Returning success would be + * fail-open since no trust anchors were loaded. */ + WOLFSSL_MSG("wolfSSL_CTX_set_default_verify_paths: no CA source " + "available (build without WOLFSSL_SYS_CA_CERTS and no " + "SSL_CERT_DIR/SSL_CERT_FILE env)"); + ret = WOLFSSL_FAILURE; #endif } diff --git a/src/ssl_sess.c b/src/ssl_sess.c index 000a7dcfd9..1a6a6b5f35 100644 --- a/src/ssl_sess.c +++ b/src/ssl_sess.c @@ -1598,8 +1598,12 @@ int wolfSSL_SetSession(WOLFSSL* ssl, WOLFSSL_SESSION* session) #if !defined(OPENSSL_EXTRA) || !defined(WOLFSSL_ERROR_CODE_OPENSSL) return WOLFSSL_FAILURE; /* session timed out */ #else /* defined(OPENSSL_EXTRA) && defined(WOLFSSL_ERROR_CODE_OPENSSL) */ + /* Return success for OpenSSL compatibility but do not carry the + * expired session's version/cipher into ssl state, which would + * otherwise pin the ClientHello to stale values. */ WOLFSSL_MSG("Session is expired but return success for " "OpenSSL compatibility"); + return WOLFSSL_SUCCESS; #endif } ssl->options.resuming = 1;