test

rlm2002 · rlm2002 · commit 01dbfae7763c · 2026-01-29T16:04:19.000-07:00
diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java b/src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java
@@ -487,13 +487,77 @@ protected static synchronized String[] getAllCiphers() {
     }
 
     /**
-     * Get all enabled cipher suites, and allowed via
-     * wolfjsse.enabledCipherSuites system Security property (if set).
+     * Get all enabled cipher suites, filtered by enabled protocols and
+     * allowed via wolfjsse.enabledCipherSuites system Security property
+     * (if set).
      *
-     * @return String array of all enabled cipher suites
+     * TLS 1.3 uses different cipher suite names than TLS 1.2 and earlier.
+     * TLS 1.3 suites do not contain "_WITH_" (e.g., TLS_AES_256_GCM_SHA384),
+     * while TLS 1.2 and earlier suites do (e.g.,
+     * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384).
+     *
+     * Filtering is only applied when it results in a non-empty list. If
+     * filtering would remove all cipher suites (e.g., user explicitly set
+     * incompatible cipher suites for the protocol), the original list is
+     * returned to preserve user settings and let the handshake fail with
+     * a proper error.
+     *
+     * @return String array of all enabled cipher suites compatible with
+     *         enabled protocols
      */
     protected synchronized String[] getCiphers() {
-        return WolfSSLUtil.sanitizeSuites(this.params.getCipherSuites());
+        String[] suites = WolfSSLUtil.sanitizeSuites(
+            this.params.getCipherSuites());
+        String[] protocols = null;
+        if (this.params != null) {
+            protocols = this.params.getProtocols();
+        }
+
+        if (suites == null || suites.length == 0 ||
+            protocols == null || protocols.length == 0) {
+            return suites;
+        }
+
+        boolean tls13Enabled = false;
+        boolean preTls13Enabled = false;
+
+        for (String protocol : protocols) {
+            if (protocol.equals("TLSv1.3") || protocol.equals("DTLSv1.3")) {
+                tls13Enabled = true;
+            } else if (protocol.startsWith("TLS") ||
+                       protocol.startsWith("SSL") ||
+                       protocol.startsWith("DTLS")) {
+                preTls13Enabled = true;
+            }
+        }
+
+        /* If both TLS 1.3 and pre-TLS 1.3 protocols enabled, return all */
+        if (tls13Enabled && preTls13Enabled) {
+            return suites;
+        }
+
+        ArrayList<String> filtered = new ArrayList<>();
+
+        for (String suite : suites) {
+            /* TLS 1.3 cipher suites do NOT contain "_WITH_" in their names */
+            boolean isTls13Suite = !suite.contains("_WITH_");
+
+            if (tls13Enabled && isTls13Suite) {
+                /* Only TLS 1.3 enabled - include only TLS 1.3 suites */
+                filtered.add(suite);
+            } else if (preTls13Enabled && !isTls13Suite) {
+                /* Only pre-TLS 1.3 enabled - include only pre-TLS 1.3 suites */
+                filtered.add(suite);
+            }
+        }
+
+        /* If filtering removed all suites, return original list to preserve
+         * user settings and allow handshake to fail with a proper error. */
+        if (filtered.isEmpty()) {
+            return suites;
+        }
+
+        return filtered.toArray(new String[0]);
     }
 
     /**
