CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2021/08/30 10:50:23
Modified files:
lib/libssl : tls13_legacy.c
Log message:
Ignore warning alert returns from servername callback in TLSv1.3
If a servername callback returns SSL_TLSEXT_ERR_ALERT_WARNING, this
results in a fatal error in TLSv1.3 since alert levels are implicit
in the alert type and neither close_notify nor user_canceled make
sense in this context. OpenSSL chose to ignore this, so we need to
follow suit.
Found via a broken servername callback in p5-IO-Socket-SSL which
returns a Boolean instead of SSL_TLSEXT_ERR_*. This happened to
have worked before TLSv1.3 since warning alerts are often ignored.
This "fixes" sni.t and sni-verify.t in p5-IO-Socket-SSL.
ok beck jsing
