Update

0x676e67 · 0x676e67 · commit f57f4e4aadc4 · 2025-09-19T17:57:53.000+08:00
diff --git a/boring-sys/patches/boringssl-44b3df6f03d85c901767250329c571db405122d5.patch b/boring-sys/patches/boringssl-44b3df6f03d85c901767250329c571db405122d5.patch
@@ -5099,7 +5099,7 @@ index 6e5cc2da1..b1b31f3a7 100644
          ticket_age_skew < std::numeric_limits<int32_t>::min()) {
        return false;
 diff --git a/src/ssl/handshake_client.cc b/src/ssl/handshake_client.cc
-index 971ebd0b1..abcc9ef47 100644
+index 971ebd0b1..3ccda1a78 100644
 --- a/src/ssl/handshake_client.cc
 +++ b/src/ssl/handshake_client.cc
 @@ -158,6 +158,8 @@
@@ -5134,7 +5134,7 @@ index 971ebd0b1..abcc9ef47 100644
 -      return false;
 +  if (ssl->config->preserve_tls13_cipher_list &&
 +      ssl->ctx->tls13_cipher_list != NULL &&
-+      sk_SSL_CIPHER_num(ssl->ctx->tls13_cipher_list->ciphers.get()) == 3) {
++      sk_SSL_CIPHER_num(ssl->ctx->tls13_cipher_list->ciphers.get()) >= 1) {
 +       for (size_t i = 0; i < sk_SSL_CIPHER_num(ssl->ctx->tls13_cipher_list->ciphers.get()); i++) {
 +        const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ssl->ctx->tls13_cipher_list->ciphers.get(), i);
 +        uint16_t cipher_id = SSL_CIPHER_get_protocol_id(cipher);
diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
@@ -1910,14 +1910,26 @@ impl SslContextBuilder {
         unsafe { ffi::SSL_CTX_set_aes_hw_override(self.as_ptr(), enable as _) }
     }
 
-    /// Sets whether the preserve TLS 1.3 cipher list option should be enabled.
+    /// Sets whether to preserve the TLS 1.3 cipher list as configured by [`Self::set_cipher_list`].
+    ///
+    /// By default, BoringSSL does not preserve the TLS 1.3 cipher list. When this option is disabled
+    /// (the default), BoringSSL uses its internal default TLS 1.3 cipher suites in its default order,
+    /// regardless of what is set via [`Self::set_cipher_list`].
+    ///
+    /// When enabled, this option ensures that the TLS 1.3 cipher suites explicitly set via
+    /// [`Self::set_cipher_list`] are retained in their original order, without being reordered or
+    /// modified by BoringSSL's internal logic. This is useful for maintaining specific cipher suite
+    /// priorities for TLS 1.3. Note that if [`Self::set_cipher_list`] does not include any TLS 1.3
+    /// cipher suites, BoringSSL will still fall back to its default TLS 1.3 cipher suites and order.
     ///
     /// This feature isn't available in the certified version of BoringSSL.
     ///
     /// # Note
     ///
-    /// This method must be called before [`Self::set_cipher_list`] to take effect.
+    /// This method must be called **before** [`Self::set_cipher_list`] to take effect.
     /// If called after [`Self::set_cipher_list`], the setting will be ignored.
+    ///
+    /// [`Self::set_cipher_list`]: #method.set_cipher_list
     #[cfg(not(feature = "fips"))]
     #[corresponds(SSL_CTX_set_preserve_tls13_cipher_list)]
     pub fn set_preserve_tls13_cipher_list(&mut self, enable: bool) {
