Merge pull request #9685 from kareem-wolfssl/gh7735

Always reinitialize the SSL cipher suites in InitSSL_Side as the side and enabled algos have likely changed.
2026-01-29 13:32:13 +01:00 · 2026-01-23 12:38:46 -08:00
parent 2f388dde4c 4c0c51fdff
commit cd88ec57b0
2 changed files with 19 additions and 1 deletions
--- a/src/internal.c
+++ b/src/internal.c
@@ -2253,6 +2253,16 @@ int InitSSL_Side(WOLFSSL* ssl, word16 side)
    }
 #endif /* WOLFSSL_DTLS && !NO_WOLFSSL_SERVER */

+    /* Forcefully reinitialize suites here as the side may have changed,
+     * unless the user has explicitly set cipher suites.
+     * Two separate checks to ensure suites are always allocated, to avoid
+     * failing suites == NULL check in InitSSL_Suites. */
+    if (ssl->suites && !ssl->suites->setSuites) {
+        FreeSuites(ssl);
+    }
+    if (!ssl->suites) {
+        AllocateSuites(ssl);
+    }
    return InitSSL_Suites(ssl);
 }
 #endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE ||
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -17162,7 +17162,15 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op)
        if (AllocateSuites(ssl) != 0)
            return 0;
        if (!ssl->suites->setSuites) {
-            InitSuites(ssl->suites, ssl->version, keySz, haveRSA,
+            /* Client side won't set DH params, so it needs haveDH set to TRUE. */
+            if (ssl->options.side == WOLFSSL_CLIENT_END)
+                InitSuites(ssl->suites, ssl->version, keySz, haveRSA,
+                       havePSK, TRUE, ssl->options.haveECDSAsig,
+                       ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
+                       ssl->options.useAnon,
+                       TRUE, TRUE, TRUE, TRUE, ssl->options.side);
+            else
+                InitSuites(ssl->suites, ssl->version, keySz, haveRSA,
                       havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig,
                       ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
                       ssl->options.useAnon,