diff options
| author | Matt Caswell <matt@openssl.org> | 2019-01-27 11:00:16 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2019-02-14 16:17:34 +0000 |
| commit | 4af5836b55442f31795eff6c8c81ea7a1b8cf94b (patch) | |
| tree | 9c0e2318753afbc715e71ad91dbf557205a2e4a5 /ssl/statem/statem.c | |
| parent | 3c83c5ba4f6502c708b7a5f55c98a10e312668da (diff) | |
Don't signal SSL_CB_HANDSHAKE_START for TLSv1.3 post-handshake messages
The original 1.1.1 design was to use SSL_CB_HANDSHAKE_START and
SSL_CB_HANDSHAKE_DONE to signal start/end of a post-handshake message
exchange in TLSv1.3. Unfortunately experience has shown that this confuses
some applications who mistake it for a TLSv1.2 renegotiation. This means
that KeyUpdate messages are not handled properly.
This commit removes the use of SSL_CB_HANDSHAKE_START and
SSL_CB_HANDSHAKE_DONE to signal the start/end of a post-handshake
message exchange. Individual post-handshake messages are still signalled in
the normal way.
This is a potentially breaking change if there are any applications already
written that expect to see these TLSv1.3 events. However, without it,
KeyUpdate is not currently usable for many applications.
Fixes #8069
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8096)
Diffstat (limited to 'ssl/statem/statem.c')
| -rw-r--r-- | ssl/statem/statem.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index ebe471b65c..24c7e94ef1 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -342,8 +342,10 @@ static int state_machine(SSL *s, int server) } s->server = server; - if (cb != NULL) - cb(s, SSL_CB_HANDSHAKE_START, 1); + if (cb != NULL) { + if (SSL_IS_FIRST_HANDSHAKE(s) || !SSL_IS_TLS13(s)) + cb(s, SSL_CB_HANDSHAKE_START, 1); + } /* * Fatal errors in this block don't send an alert because we have |