From 89931bd8849a7e492641b6949bba70398bcf67f4 Mon Sep 17 00:00:00 2001 From: Kareem Date: Mon, 19 Jan 2026 17:50:26 -0700 Subject: [PATCH 1/3] Always reinitialize the SSL cipher suites in InitSSL_Side as the side and enabled algos have likely changed. --- src/internal.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/internal.c b/src/internal.c index 86c20fd15..8eb9df6c3 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2253,6 +2253,9 @@ int InitSSL_Side(WOLFSSL* ssl, word16 side) } #endif /* WOLFSSL_DTLS && !NO_WOLFSSL_SERVER */ + /* Forcefully reinitialize suites here as the side may have changed. */ + FreeSuites(ssl); + AllocateSuites(ssl); return InitSSL_Suites(ssl); } #endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE || From d505c0b7c54a808dacddb37079af4e5f6b8acd82 Mon Sep 17 00:00:00 2001 From: Kareem Date: Tue, 20 Jan 2026 11:40:37 -0700 Subject: [PATCH 2/3] Only reinitialize suites in InitSSL_Side if they were not set by the user. Always allocate suites in InitSSL_Side if they're NULL so InitSSL_Suites will set them. --- src/internal.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/internal.c b/src/internal.c index 8eb9df6c3..4aa0bc991 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2253,9 +2253,16 @@ int InitSSL_Side(WOLFSSL* ssl, word16 side) } #endif /* WOLFSSL_DTLS && !NO_WOLFSSL_SERVER */ - /* Forcefully reinitialize suites here as the side may have changed. */ - FreeSuites(ssl); - AllocateSuites(ssl); + /* Forcefully reinitialize suites here as the side may have changed, + * unless the user has explicitly set cipher suites. + * Two separate checks to ensure suites are always allocated, to avoid + * failing suites == NULL check in InitSSL_Suites. */ + if (ssl->suites && !ssl->suites->setSuites) { + FreeSuites(ssl); + } + if (!ssl->suites) { + AllocateSuites(ssl); + } return InitSSL_Suites(ssl); } #endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE || From baedba6a588856513ef71eb65f109a5df0dc37eb Mon Sep 17 00:00:00 2001 From: Kareem Date: Thu, 22 Jan 2026 15:13:08 -0700 Subject: [PATCH 3/3] Force client haveDH to true in wolfSSL_set_options. haveDH won't be set to true on the client as the server side is what calls DH param generation APIs which set this to true, but we still want the client to support DH cipher suites if enabled. This matches behavior from InitSSL_EitherSide. --- src/ssl.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index d3961330e..db2adc9c2 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -17128,7 +17128,15 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op) if (AllocateSuites(ssl) != 0) return 0; if (!ssl->suites->setSuites) { - InitSuites(ssl->suites, ssl->version, keySz, haveRSA, + /* Client side won't set DH params, so it needs haveDH set to TRUE. */ + if (ssl->options.side == WOLFSSL_CLIENT_END) + InitSuites(ssl->suites, ssl->version, keySz, haveRSA, + havePSK, TRUE, ssl->options.haveECDSAsig, + ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, + ssl->options.useAnon, + TRUE, TRUE, TRUE, TRUE, ssl->options.side); + else + InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.useAnon,