git.ipfire.org Git - thirdparty/openssl.git/commit

author	Matt Caswell <matt@openssl.org>
	Fri, 9 May 2025 08:58:15 +0000 (09:58 +0100)
committer	Tomas Mraz <tomas@openssl.org>
	Wed, 4 Jun 2025 15:24:17 +0000 (17:24 +0200)
commit	4c246610f0e9385cb42416d16a103986a8775987
tree	72bc2d37b3a1420fba566de0617b3e48b8d253fc	tree
parent	2762016a2b23510da8c57986ee417edac3467f95	commit \| diff

Fix DTLS handling when receiving a no_renegotiation alert

no_renegotiation is a warning alert sent from the server when it is not
prepared to accept a renegotiation attempt. In TLS we abort the connection
when we receive one of these - which is a reasonable response. However,
in DTLS we incorrectly ignore this and keep trying to renegotiate.

We bring the DTLS handling of a no_renegotiation alert into line with
how TLS handles this. In versions prior to 3.2 handling of a warning
alert in DTLS was mishandled resulting in a failure of the connection,
which ends up being the right thing to do "by accident" in the case of
"no_renegotiation". From 3.2 this mishandling was fixed, but exposed this
latent bug.

Fixes #27419

Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27591)

(cherry picked from commit e5feca0659ef6119f6cedfab1b6af034735723ff)

ssl/record/rec_layer_d1.c		diff \| blob \| blame \| history
ssl/record/rec_layer_s3.c		diff \| blob \| blame \| history