be more careful about session established. Fixes #4878

diff --git a/src/main/tls.c b/src/main/tls.c
index 5ca2f5fed250dd5c3ce84757fff737384a391617..4f34d70faccc5098bc1175cfae047c141fee6b90 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -5338,7 +5338,13 @@ fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request)
                return FR_TLS_FAIL;
 
        case handshake:
-               if ((ssn->is_init_finished) && (ssn->dirty_out.used == 0)) {
+               if (ssn->dirty_out.used > 0) {
+                       RDEBUG2("(TLS) Peer ACKed our handshake fragment");
+                       /* Fragmentation handler, send next fragment */
+                       return FR_TLS_REQUEST;
+               }
+
+               if (ssn->is_init_finished || SSL_is_init_finished(ssn->ssl)) {
                        RDEBUG2("(TLS) Peer ACKed our handshake fragment.  handshake is finished");
 
                        /*
@@ -5350,9 +5356,8 @@ fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request)
                        return FR_TLS_SUCCESS;
                } /* else more data to send */
 
-               RDEBUG2("(TLS) Peer ACKed our handshake fragment");
-               /* Fragmentation handler, send next fragment */
-               return FR_TLS_REQUEST;
+               REDEBUG("(TLS) Cannot continue, as the peer is misbehaving.");
+               return FR_TLS_FAIL;
 
        case application_data:
                RDEBUG2("(TLS) Peer ACKed our application data fragment");