git.ipfire.org Git - thirdparty/openssl.git/commit

author	Matt Caswell <matt@openssl.org>
	Fri, 9 May 2025 08:58:15 +0000 (09:58 +0100)
committer	Tomas Mraz <tomas@openssl.org>
	Wed, 4 Jun 2025 15:29:34 +0000 (17:29 +0200)
commit	1e2ed8e224e91af5f60b2ee228183642fa74832e
tree	9200f7b150bb12b696fe8930219cd2e668d9668c	tree
parent	dc3a5950aa0013e194df5fb432ec3866adcb26aa	commit \| diff

Fix DTLS handling when receiving a no_renegotiation alert

no_renegotiation is a warning alert sent from the server when it is not
prepared to accept a renegotiation attempt. In TLS we abort the connection
when we receive one of these - which is a reasonable response. However,
in DTLS we incorrectly ignore this and keep trying to renegotiate.

We bring the DTLS handling of a no_renegotiation alert into line with
how TLS handles this. In versions prior to 3.2 handling of a warning
alert in DTLS was mishandled resulting in a failure of the connection,
which ends up being the right thing to do "by accident" in the case of
"no_renegotiation". From 3.2 this mishandling was fixed, but exposed this
latent bug.

Fixes #27419

Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27591)

(cherry picked from commit e5feca0659ef6119f6cedfab1b6af034735723ff)

ssl/record/rec_layer_d1.c		diff \| blob \| blame \| history
ssl/record/rec_layer_s3.c		diff \| blob \| blame \| history