3 files changed, 8 insertions, 5 deletions

diff --git a/fuzz/client.cc b/fuzz/client.cc
index 860ed68..2b91e7c 100644
--- a/fuzz/client.cc
+++ b/fuzz/client.cc
@@ -279,7 +279,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
   SSL_set_alpn_protos(client, kALPNProtocols, sizeof(kALPNProtocols));
 
   // Enable ciphers that are off by default.
-  SSL_set_cipher_list(client, "ALL:NULL-SHA");
+  SSL_set_strict_cipher_list(client, "ALL:NULL-SHA");
 
   BIO_write(in, buf, len);
   if (SSL_do_handshake(client) == 1) {
diff --git a/fuzz/server.cc b/fuzz/server.cc
index 1ee2ec9..9cdfad9 100644
--- a/fuzz/server.cc
+++ b/fuzz/server.cc
@@ -274,7 +274,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
   SSL_set_tls_channel_id_enabled(server, 1);
 
   // Enable ciphers that are off by default.
-  SSL_set_cipher_list(server, "ALL:NULL-SHA");
+  SSL_set_strict_cipher_list(server, "ALL:NULL-SHA");
 
   DH *dh = DH_get_1024_160(nullptr);
   SSL_set_tmp_dh(server, dh);
diff --git a/fuzz/ssl_ctx_api.cc b/fuzz/ssl_ctx_api.cc
index b721c6b..60058fa 100644
--- a/fuzz/ssl_ctx_api.cc
+++ b/fuzz/ssl_ctx_api.cc
@@ -344,11 +344,14 @@ static const std::function<void(SSL_CTX *, CBS *)> kAPIs[] = {
       if (!GetString(&ciphers, cbs)) {
         return;
       }
-      SSL_CTX_set_cipher_list(ctx, ciphers.c_str());
+      SSL_CTX_set_strict_cipher_list(ctx, ciphers.c_str());
     },
     [](SSL_CTX *ctx, CBS *cbs) {
-      // This function was left blank rather than removed to avoid invalidating
-      // the existing corpus. New entries may reuse it.
+      std::string ciphers;
+      if (!GetString(&ciphers, cbs)) {
+        return;
+      }
+      SSL_CTX_set_cipher_list(ctx, ciphers.c_str());
     },
     [](SSL_CTX *ctx, CBS *cbs) {
       // This function was left blank rather than removed to avoid invalidating