wolfssl: fix cipher list, skip 5.8.4 regression - adjust cipher list in infof() statement for min/max TLS version - skip test_17_07 for wolfSSL 5.8.4 when CHACHA20 is negotiated due to regression with homebrew build on ARM systems. Fixes #19644 Reported-by: Viktor Szakats Closes #19662

commit: 29b3b1ae6d7ce561700cfe81aaba3b3ebc8a7a6a [log] [tgz]
author: Stefan Eissing <stefan@eissing.org> Sun Nov 23 16:59:40 2025 +0100
committer: Daniel Stenberg <daniel@haxx.se> Sun Nov 23 18:05:42 2025 +0100
tree: 20c8bf3b070223d2ae7bdb3c405a278690d784a4
parent: 74f7505974836f633c955dbce7514f12f78ddc5b [diff]
diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index a8090d1..c8fc8c4 100644
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c

@@ -1043,62 +1043,69 @@
 
 static CURLcode ssl_version(struct Curl_easy *data,
                             struct ssl_primary_config *conn_config,
-                            struct wssl_ctx *wctx)
+                            struct wssl_ctx *wctx,
+                            int *min_version, int *max_version)
 {
   int res;
+  *min_version = *max_version = 0;
   switch(conn_config->version) {
   case CURL_SSLVERSION_DEFAULT:
   case CURL_SSLVERSION_TLSv1:
   case CURL_SSLVERSION_TLSv1_0:
-    res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_VERSION);
+    *min_version = TLS1_VERSION;
     break;
   case CURL_SSLVERSION_TLSv1_1:
-    res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_1_VERSION);
+    *min_version = TLS1_1_VERSION;
     break;
   case CURL_SSLVERSION_TLSv1_2:
-    res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_2_VERSION);
+    *min_version = TLS1_2_VERSION;
     break;
 #ifdef WOLFSSL_TLS13
   case CURL_SSLVERSION_TLSv1_3:
-    res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_3_VERSION);
+    *min_version = TLS1_3_VERSION;
     break;
 #endif
   default:
     failf(data, "wolfSSL: unsupported minimum TLS version value");
     return CURLE_SSL_CONNECT_ERROR;
   }
-  if(res != WOLFSSL_SUCCESS) {
-    failf(data, "wolfSSL: failed set the minimum TLS version");
-    return CURLE_SSL_CONNECT_ERROR;
-  }
 
   switch(conn_config->version_max) {
 #ifdef WOLFSSL_TLS13
   case CURL_SSLVERSION_MAX_TLSv1_3:
-    res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_3_VERSION);
+    *max_version = TLS1_3_VERSION;
     break;
 #endif
   case CURL_SSLVERSION_MAX_TLSv1_2:
-    res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_2_VERSION);
+    *max_version = TLS1_2_VERSION;
     break;
   case CURL_SSLVERSION_MAX_TLSv1_1:
-    res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_1_VERSION);
+    *max_version = TLS1_1_VERSION;
     break;
   case CURL_SSLVERSION_MAX_TLSv1_0:
-    res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_VERSION);
+    *max_version = TLS1_VERSION;
     break;
   case CURL_SSLVERSION_MAX_DEFAULT:
   case CURL_SSLVERSION_MAX_NONE:
-    res = WOLFSSL_SUCCESS;
     break;
   default:
     failf(data, "wolfSSL: unsupported maximum TLS version value");
     return CURLE_SSL_CONNECT_ERROR;
   }
+
+  res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, *min_version);
   if(res != WOLFSSL_SUCCESS) {
-    failf(data, "wolfSSL: failed set the maximum TLS version");
+    failf(data, "wolfSSL: failed set the minimum TLS version");
     return CURLE_SSL_CONNECT_ERROR;
   }
+
+  if(*max_version) {
+    res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, *max_version);
+    if(res != WOLFSSL_SUCCESS) {
+      failf(data, "wolfSSL: failed set the maximum TLS version");
+      return CURLE_SSL_CONNECT_ERROR;
+    }
+  }
   return CURLE_OK;
 }
 
@@ -1126,6 +1133,7 @@
 #endif
   CURLcode result = CURLE_FAILED_INIT;
   unsigned char transport;
+  int tls_min, tls_max;
 
   DEBUGASSERT(!wctx->ssl_ctx);
   DEBUGASSERT(!wctx->ssl);
@@ -1159,7 +1167,7 @@
     goto out;
   }
 
-  result = ssl_version(data, conn_config, wctx);
+  result = ssl_version(data, conn_config, wctx, &tls_min, &tls_max);
   if(result)
     goto out;
 
@@ -1183,12 +1191,14 @@
     struct dynbuf c;
     curlx_dyn_init(&c, MAX_CIPHER_LEN);
 
-    if(ciphers13)
-      result = curlx_dyn_add(&c, ciphers13);
-    else
-      result = wssl_add_default_ciphers(TRUE, &c);
+    if(!tls_max || (tls_max >= TLS1_3_VERSION)) {
+      if(ciphers13)
+        result = curlx_dyn_add(&c, ciphers13);
+      else
+        result = wssl_add_default_ciphers(TRUE, &c);
+    }
 
-    if(!result) {
+    if(!result && (tls_min < TLS1_3_VERSION)) {
       if(ciphers12) {
         if(curlx_dyn_len(&c))
           result = curlx_dyn_addn(&c, ":", 1);

diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
index 58ad7fd..85c43d5 100644
--- a/tests/http/test_17_ssl_use.py
+++ b/tests/http/test_17_ssl_use.py

@@ -258,6 +258,10 @@
         curl = CurlClient(env=env)
         url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
         # SSL backend specifics
+        # see wolfSSL/wolfssl#9462
+        if env.curl_uses_lib('wolfssl') and env.curl_lib_version('wolfssl') == '5.8.4' \
+           and ciphers13 and 'TLS_CHACHA20_POLY1305_SHA256' in ciphers13:
+            pytest.skip('wolfSSL 5.8.4 is borked on ARM with CHACHA20')
         if env.curl_uses_lib('gnutls'):
             pytest.skip('GnuTLS does not support setting ciphers')
         elif env.curl_uses_lib('boringssl'):
commit	29b3b1ae6d7ce561700cfe81aaba3b3ebc8a7a6a	[log] [tgz]
author	Stefan Eissing <stefan@eissing.org>	Sun Nov 23 16:59:40 2025 +0100
committer	Daniel Stenberg <daniel@haxx.se>	Sun Nov 23 18:05:42 2025 +0100
tree	20c8bf3b070223d2ae7bdb3c405a278690d784a4
parent	74f7505974836f633c955dbce7514f12f78ddc5b [diff]