From fdf5a17cf632c738c655dae428d6d4334b0f9f0a Mon Sep 17 00:00:00 2001
From: Ruby Martin <ruby@wolfssl.com>
Date: Tue, 3 Feb 2026 17:13:05 -0700
Subject: [PATCH] JNI: set options to filter cipher suites for TLS 1.3 protocol

---
 native/com_wolfssl_WolfSSL.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/native/com_wolfssl_WolfSSL.c b/native/com_wolfssl_WolfSSL.c
index 20f2d630..d2b44c1c 100644
--- a/native/com_wolfssl_WolfSSL.c
+++ b/native/com_wolfssl_WolfSSL.c
@@ -2029,6 +2029,7 @@ JNIEXPORT jstring JNICALL Java_com_wolfssl_WolfSSL_getAvailableCipherSuitesIana
     byte cipherSuite0;
     byte cipherSuite;
 #endif
+    long noOpts = 0;
     const char* cipherName = NULL;
     const char* ianaName = NULL;
     WOLFSSL_METHOD* method = NULL;
@@ -2067,11 +2068,16 @@ JNIEXPORT jstring JNICALL Java_com_wolfssl_WolfSSL_getAvailableCipherSuitesIana
 #ifndef WOLFSSL_NO_TLS12
         case 3:
             method = wolfTLSv1_2_client_method();
+            noOpts = SSL_OP_NO_TLSv1_3;
             break;
 #endif
 #ifdef WOLFSSL_TLS13
         case 4:
             method = wolfTLSv1_3_client_method();
+            noOpts = SSL_OP_NO_SSLv3 |
+                     SSL_OP_NO_TLSv1 |
+                     SSL_OP_NO_TLSv1_1 |
+                     SSL_OP_NO_TLSv1_2;
             break;
 #endif
         case 5:
@@ -2112,6 +2118,11 @@ JNIEXPORT jstring JNICALL Java_com_wolfssl_WolfSSL_getAvailableCipherSuitesIana
         return NULL;
     }
 
+    /* Filter cipher suites to only target protocol version */
+    if (noOpts != 0) {
+        wolfSSL_set_options(ssl, noOpts);
+    }
+
     supportedCiphers = wolfSSL_get_ciphers_compat(ssl);
     if (supportedCiphers == NULL) {
         wolfSSL_free(ssl);