Branch: refs/heads/OpenSSL_1_1_1-stable
Home: https://github.openssl.org/openssl/openssl
Commit: 6e73a0a0bd608daecb8e2c1e46de9d1014194c84
https://github.openssl.org/openssl/openssl/commit/6e73a0a0bd608daecb8e2c1e46de9d1014194c84
Author: Bernd Edlinger <[email protected]>
Date: 2022-04-13 (Wed, 13 Apr 2022)
Changed paths:
M ssl/s3_enc.c
M ssl/t1_enc.c
M test/ssl-tests/10-resumption.conf
M test/ssl-tests/11-dtls_resumption.conf
M test/ssl-tests/protocol_version.pm
Log Message:
-----------
Fix a DTLS server hangup due to TLS13_AD_MISSING_EXTENSION
This causes the DTLS server to enter an error state:
./openssl s_server -dtls
./openssl s_client -dtls -maxfraglen 512 -sess_out s1.txt
[...]
Q
./openssl s_client -dtls -sess_in s1.txt
CONNECTED(00000003)
^C
./openssl s_client -dtls
CONNECTED(00000003)
140335537067840:error:14102410:SSL routines:dtls1_read_bytes:sslv3 alert
handshake failure:ssl/record/rec_layer_d1.c:614:SSL alert number 40
At this point the dtls server needs to be restarted,
because verify_cookie_callback always fails, because
the previous cookie is checked against the current one.
The reason for this is not fully understood.
In wireshark we see the following each time:
c->s Client Hello (without cookie)
s->c Hello Verify Request (with new cookie)
s->c Alert (Level: Fatal, Description: Handshake Failure)
c->s Client Hello (echoes new cookie)
The client gives up when the Alert arrives.
The Alert is triggered because the server calls
verify_cookie_callback with the previous cookie,
although it just sent the current cookie in the
Hello Verify Request.
However this does only happen because no Alert message
is sent when the client re-connects the session with
the missing -maxfraglen option.
Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/18094)
