Correct alert when extended master secret support is dropped

When resuming session with the extended master secret support
dropped we should use SSL_AD_HANDSHAKE_FAILURE instead of
SSL_AD_ILLEGAL_PARAMETER according to the RFC7627 section 5.

Fixes #9791

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Jan 23 10:33:12 2026
(Merged from https://github.com/openssl/openssl/pull/29706)

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 47a0e52ea97fa1c5352a8931525d7de14c51a92e..3873a96d2186b999a664fd0bfe8506532ef0f530 100644 (file)
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -678,7 +678,7 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello)
     if (ret->flags & SSL_SESS_FLAG_EXTMS) {
         /* If old session includes extms, but new does not: abort handshake */
         if (!(s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS)) {
-            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INCONSISTENT_EXTMS);
+            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_EXTMS);
             fatal = 1;
             goto err;
         }