tls-peer: Don't initiate TLS connection if no cipher suites are supported
authorPascal Knecht <pascal.knecht@hsr.ch>
Thu, 3 Sep 2020 19:53:52 +0000 (21:53 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 12 Feb 2021 13:35:23 +0000 (14:35 +0100)
If zero cipher suites are left after all filters, tls-peer does not
try to establish a connection to the server anymore.

src/libtls/tls_peer.c

index 002b84c..8e75eec 100644 (file)
@@ -1237,6 +1237,12 @@ static status_t send_client_hello(private_tls_peer_t *this,
 
        /* add TLS cipher suites */
        count = this->crypto->get_cipher_suites(this->crypto, &suites);
+       if (count <= 0)
+       {
+               DBG1(DBG_TLS, "no supported TLS cipher suite available");
+               this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+               return NEED_MORE;
+       }
        writer->write_uint16(writer, count * 2);
        for (i = 0; i < count; i++)
        {