Thanks to visit codestin.com
Credit goes to github.com

Skip to content

send TLS alert on handshake failure when recent versions of OpenSSL is used #1872

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Oct 10, 2018
Merged

send TLS alert on handshake failure when recent versions of OpenSSL is used #1872

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
5c3e8c5
add failing test that fails only with openssl newer than 1.1.0g (likely)
kazuho Oct 10, 2018
6f7f962
send the TLS alert on handshake errors
robguima Oct 4, 2018
01d5394
use dedicated callback
deweerdt Oct 10, 2018
b3cafcf
use the exact same error string as we do now
kazuho Oct 10, 2018
ee95055
report the *first* fatal error
kazuho Oct 10, 2018
05295c2
use the good old code path for OpenSSL 1.0.2 that does not automatica…
kazuho Oct 10, 2018
b867b44
Merge branch 'master' into kazuho/pr/1865
kazuho Oct 10, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions include/h2o/socket.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,7 @@ extern const char h2o_socket_error_ssl_no_cert[];
extern const char h2o_socket_error_ssl_cert_invalid[];
extern const char h2o_socket_error_ssl_cert_name_mismatch[];
extern const char h2o_socket_error_ssl_decode[];
extern const char h2o_socket_error_ssl_handshake[];

/**
* returns the loop
Expand Down
15 changes: 14 additions & 1 deletion lib/common/socket.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,7 @@ const char h2o_socket_error_ssl_no_cert[] = "no certificate";
const char h2o_socket_error_ssl_cert_invalid[] = "invalid certificate";
const char h2o_socket_error_ssl_cert_name_mismatch[] = "certificate name mismatch";
const char h2o_socket_error_ssl_decode[] = "SSL decode error";
const char h2o_socket_error_ssl_handshake[] = "ssl handshake failure";

static void (*resumption_get_async)(h2o_socket_t *sock, h2o_iovec_t session_id);
static void (*resumption_new)(h2o_socket_t *sock, h2o_iovec_t session_id, h2o_iovec_t session_data);
Expand Down Expand Up @@ -1019,6 +1020,11 @@ static void on_handshake_complete(h2o_socket_t *sock, const char *err)
handshake_cb(sock, err);
}

static void on_handshake_failure_ossl111(h2o_socket_t *sock, const char *err)
{
on_handshake_complete(sock, h2o_socket_error_ssl_handshake);
}

static void proceed_handshake(h2o_socket_t *sock, const char *err)
{
h2o_iovec_t first_input = {NULL};
Expand Down Expand Up @@ -1135,7 +1141,14 @@ static void proceed_handshake(h2o_socket_t *sock, const char *err)
if (verify_result != X509_V_OK) {
err = X509_verify_cert_error_string(verify_result);
} else {
err = "ssl handshake failure";
err = h2o_socket_error_ssl_handshake;
/* OpenSSL 1.1.0 emits an alert immediately, we send it now. 1.0.2 emits the error when SSL_shutdown is called in
* shutdown_ssl. */
if (sock->ssl->output.bufs.size != 0) {
h2o_socket_read_stop(sock);
flush_pending_ssl(sock, on_handshake_failure_ossl111);
return;
}
}
goto Complete;
}
Expand Down
4 changes: 4 additions & 0 deletions t/40ssl-cipher-suite.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,4 +35,8 @@ my ($guard, $pid) = spawn_server(
my $log = `openssl s_client -cipher AES256-SHA:AES128-SHA -host 127.0.0.1 -port $port < /dev/null 2>&1`;
like $log, qr/^\s*Cipher\s*:\s*AES128-SHA\s*$/m;

# connect to the server with AES256-SHA as the only choice, and check that handshake failure is returned
$log = `openssl s_client -cipher AES256-SHA -host 127.0.0.1 -port $port < /dev/null 2>&1`;
like $log, qr/alert handshake failure/m; # "handshake failure" the official name for TLS alert 40

done_testing;