diff options
author | Erlang/OTP <otp@erlang.org> | 2023-02-16 15:15:18 +0100 |
---|---|---|
committer | Erlang/OTP <otp@erlang.org> | 2023-02-16 15:15:18 +0100 |
commit | a0f624e5ab4f90978fbc511e89d5f4cd3496d19d (patch) | |
tree | 3191c41bfe4ff53538eb75afbbd999ad5cc9978b | |
parent | b2f4219c16d7e12f1361b9a3cf2134018a375381 (diff) | |
parent | 660b95947134f0ff5ed267f810a95b69e83bd243 (diff) | |
download | erlang-a0f624e5ab4f90978fbc511e89d5f4cd3496d19d.tar.gz |
Merge branch 'ingela/maint-25/ssl/middlebox_hello_retry_request/GH-6807/OTP-18467' into maint-25
* ingela/maint-25/ssl/middlebox_hello_retry_request/GH-6807/OTP-18467:
ssl: Adjust assert of middlebox change_cipher_spec for better interop
-rw-r--r-- | lib/ssl/src/tls_connection_1_3.erl | 6 | ||||
-rw-r--r-- | lib/ssl/src/tls_handshake_1_3.erl | 14 |
2 files changed, 15 insertions, 5 deletions
diff --git a/lib/ssl/src/tls_connection_1_3.erl b/lib/ssl/src/tls_connection_1_3.erl index edba6887f5..99d0a86bd3 100644 --- a/lib/ssl/src/tls_connection_1_3.erl +++ b/lib/ssl/src/tls_connection_1_3.erl @@ -446,8 +446,8 @@ wait_sh(internal, #server_hello{} = Hello, #alert{} = Alert -> ssl_gen_statem:handle_own_alert(Alert, wait_sh, State0); {State1 = #state{}, start, ServerHello} -> - %% hello_retry_request : assert middlebox before going back to start - {next_state, hello_retry_middlebox_assert, State1, [{next_event, internal, ServerHello}]}; + %% hello_retry_request: go to start + {next_state, start, State1, [{next_event, internal, ServerHello}]}; {State1, wait_ee} when IsRetry == true -> tls_gen_connection:next_event(wait_ee, no_record, State1); {State1, wait_ee} when IsRetry == false -> @@ -470,7 +470,7 @@ hello_middlebox_assert(Type, Msg, State) -> hello_retry_middlebox_assert(enter, _, State) -> {keep_state, State}; hello_retry_middlebox_assert(internal, #change_cipher_spec{}, State) -> - tls_gen_connection:next_event(start, no_record, State); + tls_gen_connection:next_event(wait_sh, no_record, State); hello_retry_middlebox_assert(internal, #server_hello{}, State) -> tls_gen_connection:next_event(?FUNCTION_NAME, no_record, State, [postpone]); hello_retry_middlebox_assert(info, Msg, State) -> diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl index 176d659937..e68e4193d5 100644 --- a/lib/ssl/src/tls_handshake_1_3.erl +++ b/lib/ssl/src/tls_handshake_1_3.erl @@ -751,6 +751,7 @@ do_start(#server_hello{cipher_suite = SelectedCipherSuite, handshake_env = #handshake_env{renegotiation = {Renegotiation, _}, ocsp_stapling_state = OcspState}, connection_env = #connection_env{negotiated_version = NegotiatedVersion}, + protocol_specific = PS, ssl_options = #{ciphers := ClientCiphers, supported_groups := ClientGroups0, use_ticket := UseTicket, @@ -824,8 +825,17 @@ do_start(#server_hello{cipher_suite = SelectedCipherSuite, handshake_env = HsEnv#handshake_env{tls_handshake_history = HHistory}, key_share = ClientKeyShare}, - {State, wait_sh} - + %% If it is a hello_retry and middlebox mode is + %% used assert the change_cipher_spec message + %% that the server should send next + case (maps:get(hello_retry, PS, false)) andalso + (maps:get(middlebox_comp_mode, SslOpts, true)) + of + true -> + {State, hello_retry_middlebox_assert}; + false -> + {State, wait_sh} + end catch {Ref, #alert{} = Alert} -> Alert |