CVSROOT: /cvs Module name: src Changes by: t...@cvs.openbsd.org 2021/08/30 10:50:23
Modified files: lib/libssl : tls13_legacy.c Log message: Ignore warning alert returns from servername callback in TLSv1.3 If a servername callback returns SSL_TLSEXT_ERR_ALERT_WARNING, this results in a fatal error in TLSv1.3 since alert levels are implicit in the alert type and neither close_notify nor user_canceled make sense in this context. OpenSSL chose to ignore this, so we need to follow suit. Found via a broken servername callback in p5-IO-Socket-SSL which returns a Boolean instead of SSL_TLSEXT_ERR_*. This happened to have worked before TLSv1.3 since warning alerts are often ignored. This "fixes" sni.t and sni-verify.t in p5-IO-Socket-SSL. ok beck jsing