net: also set TLSv1.3 cipher suites

2 files changed, 12 insertions, 0 deletions

diff --git a/lib/pure/net.nim b/lib/pure/net.nim
index f628ee056..c1896dc1c 100644
--- a/lib/pure/net.nim
+++ b/lib/pure/net.nim
@@ -580,6 +580,13 @@ when defineSsl:
 
     if newCTX.SSL_CTX_set_cipher_list(cipherList) != 1:
       raiseSSLError()
+    when not defined(openssl10) and not defined(libressl):
+      let sslVersion = getOpenSSLVersion()
+      if sslVersion >= 0x010101000 and not sslVersion == 0x020000000:
+        # In OpenSSL >= 1.1.1, TLSv1.3 cipher suites can only be configured via
+        # this API.
+        if newCTX.SSL_CTX_set_ciphersuites(cipherList) != 1:
+          raiseSSLError()
     # Automatically the best ECDH curve for client exchange. Without this, ECDH
     # ciphers will be ignored by the server.
     #
diff --git a/lib/wrappers/openssl.nim b/lib/wrappers/openssl.nim
index a3825b801..c81176a9b 100644
--- a/lib/wrappers/openssl.nim
+++ b/lib/wrappers/openssl.nim
@@ -296,6 +296,7 @@ when compileOption("dynlibOverride", "ssl") or defined(noOpenSSLHacks):
       SSl_state(ssl) and SSL_ST_INIT
   else:
     proc SSL_in_init*(ssl: SslPtr): cint {.cdecl, dynlib: DLLSSLName, importc.}
+    proc SSL_CTX_set_ciphersuites*(ctx: SslCtx, str: cstring): cint {.cdecl, dynlib: DLLSSLName, importc.}
 
   template OpenSSL_add_all_algorithms*() = discard
 
@@ -423,6 +424,10 @@ else:
     else:
       raiseInvalidLibrary MainProc
 
+  proc SSL_CTX_set_ciphersuites*(ctx: SslCtx, str: cstring): cint =
+    let theProc {.global.} = cast[proc(ctx: SslCtx, str: cstring) {.cdecl, gcsafe.}](sslSymThrows("SSL_CTX_set_ciphersuites"))
+    theProc(ctx, str)
+
 proc ERR_load_BIO_strings*(){.cdecl, dynlib: DLLUtilName, importc.}
 
 proc SSL_new*(context: SslCtx): SslPtr{.cdecl, dynlib: DLLSSLName, importc.}