diff options
| author | Erlang/OTP <otp@erlang.org> | 2023-02-22 15:28:57 +0100 |
|---|---|---|
| committer | Erlang/OTP <otp@erlang.org> | 2023-02-22 15:28:57 +0100 |
| commit | 0014b4e6d136c907c18e5a00ef31f5b229d28fd7 (patch) | |
| tree | 1585fa25b30d9508f4df017a54459009e5c8662f | |
| parent | b47d81b7e80a4c37e2d99e2a1ddbecac74651da4 (diff) | |
| parent | 2ad32862c6532f69b4ee5b95ef2620f20bee0552 (diff) | |
| download | erlang-0014b4e6d136c907c18e5a00ef31f5b229d28fd7.tar.gz | |
Merge branch 'ingela/maint-24/ssl/middlebox_hello_retry_request/GH-6807/OTP-18467' into maint-24
* ingela/maint-24/ssl/middlebox_hello_retry_request/GH-6807/OTP-18467:
ssl: Adjust assert of middlebox change_cipher_spec for better interop
| -rw-r--r-- | lib/ssl/src/tls_connection_1_3.erl | 6 | ||||
| -rw-r--r-- | lib/ssl/src/tls_handshake_1_3.erl | 14 |
2 files changed, 15 insertions, 5 deletions
diff --git a/lib/ssl/src/tls_connection_1_3.erl b/lib/ssl/src/tls_connection_1_3.erl index 7c7c19847f..1edc324593 100644 --- a/lib/ssl/src/tls_connection_1_3.erl +++ b/lib/ssl/src/tls_connection_1_3.erl @@ -447,8 +447,8 @@ wait_sh(internal, #server_hello{} = Hello, #alert{} = Alert -> ssl_gen_statem:handle_own_alert(Alert, wait_sh, State0); {State1 = #state{}, start, ServerHello} -> - %% hello_retry_request : assert middlebox before going back to start - {next_state, hello_retry_middlebox_assert, State1, [{next_event, internal, ServerHello}]}; + %% hello_retry_request: go to start + {next_state, start, State1, [{next_event, internal, ServerHello}]}; {State1, wait_ee} when IsRetry == true -> tls_gen_connection:next_event(wait_ee, no_record, State1); {State1, wait_ee} when IsRetry == false -> @@ -471,7 +471,7 @@ hello_middlebox_assert(Type, Msg, State) -> hello_retry_middlebox_assert(enter, _, State) -> {keep_state, State}; hello_retry_middlebox_assert(internal, #change_cipher_spec{}, State) -> - tls_gen_connection:next_event(start, no_record, State); + tls_gen_connection:next_event(wait_sh, no_record, State); hello_retry_middlebox_assert(internal, #server_hello{}, State) -> tls_gen_connection:next_event(?FUNCTION_NAME, no_record, State, [postpone]); hello_retry_middlebox_assert(info, Msg, State) -> diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl index 025dbce72c..6cd3f623e5 100644 --- a/lib/ssl/src/tls_handshake_1_3.erl +++ b/lib/ssl/src/tls_handshake_1_3.erl @@ -745,6 +745,7 @@ do_start(#server_hello{cipher_suite = SelectedCipherSuite, handshake_env = #handshake_env{renegotiation = {Renegotiation, _}, ocsp_stapling_state = OcspState}, connection_env = #connection_env{negotiated_version = NegotiatedVersion}, + protocol_specific = PS, ssl_options = #{ciphers := ClientCiphers, supported_groups := ClientGroups0, use_ticket := UseTicket, @@ -818,8 +819,17 @@ do_start(#server_hello{cipher_suite = SelectedCipherSuite, handshake_env = HsEnv#handshake_env{tls_handshake_history = HHistory}, key_share = ClientKeyShare}, - {State, wait_sh} - + %% If it is a hello_retry and middlebox mode is + %% used assert the change_cipher_spec message + %% that the server should send next + case (maps:get(hello_retry, PS, false)) andalso + (maps:get(middlebox_comp_mode, SslOpts, true)) + of + true -> + {State, hello_retry_middlebox_assert}; + false -> + {State, wait_sh} + end catch {Ref, #alert{} = Alert} -> Alert |