From eae22ab37df7c89d6fca420d2d7c2bebf63b0d98 Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 4 Feb 2026 15:43:54 -0700 Subject: [PATCH] Send illegal_parameter alert rather than handshake_failure when the server tries to use a cipher suite that the client does not support. Fixes #9639. --- src/tls13.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tls13.c b/src/tls13.c index 5b0f098507..b9e06896f9 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -5497,8 +5497,8 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, suite[1] = ssl->options.cipherSuite; if (!FindSuiteSSL(ssl, suite)) { WOLFSSL_MSG("Cipher suite not supported on client"); - WOLFSSL_ERROR_VERBOSE(MATCH_SUITE_ERROR); - return MATCH_SUITE_ERROR; + WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); + return INVALID_PARAMETER; } #if defined(HAVE_ECH)