Overview

File 1084-ssl-Old-server-should-ignore-new-extension.patch of Package erlang

From f42c07680f4695d746c68c916aa1c8e07c52b30f Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Fri, 27 Sep 2024 14:17:14 +0200
Subject: [PATCH] ssl: Old server should ignore new extension

---
 lib/ssl/src/tls_handshake.erl          |  4 ++--
 lib/ssl/test/tls_1_3_version_SUITE.erl | 13 ++++++++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/lib/ssl/src/tls_handshake.erl b/lib/ssl/src/tls_handshake.erl
index e99bbecbe8..837943d83e 100644
--- a/lib/ssl/src/tls_handshake.erl
+++ b/lib/ssl/src/tls_handshake.erl
@@ -242,8 +242,8 @@ hello(#client_hello{client_version = _ClientVersion,
                     extensions = #{client_hello_versions :=
                                        #client_hello_versions{versions = ClientVersions}
                                   }} = Hello,
-      #{versions := Versions} = SslOpts,
-      Info, Renegotiation) ->
+      #{versions := Versions = [Version |_]} = SslOpts,
+      Info, Renegotiation) when Version >= {3,3} ->
     try
         Version = ssl_handshake:select_supported_version(ClientVersions, Versions),
         do_hello(Version, Versions, CipherSuites, Hello, SslOpts, Info, Renegotiation)
diff --git a/lib/ssl/test/tls_1_3_version_SUITE.erl b/lib/ssl/test/tls_1_3_version_SUITE.erl
index 2ba02d006e..5e5d00be55 100644
--- a/lib/ssl/test/tls_1_3_version_SUITE.erl
+++ b/lib/ssl/test/tls_1_3_version_SUITE.erl
@@ -56,6 +56,8 @@
          tls11_client_tls_server/1,
          tls12_client_tls_server/0,
          tls12_client_tls_server/1,
+         tls13_client_tls11_server/0,
+         tls13_client_tls11_server/1,
          middle_box_tls13_client/0,
          middle_box_tls13_client/1,
          middle_box_tls12_enabled_client/0,
@@ -107,7 +109,9 @@ legacy_tests() ->
      tls_client_tls12_server,
      tls10_client_tls_server,
      tls11_client_tls_server,
-     tls12_client_tls_server].
+     tls12_client_tls_server,
+     tls13_client_tls11_server
+    ].
 
 init_per_suite(Config) ->
     catch crypto:stop(),
@@ -402,6 +406,13 @@ renegotiate_error(Config) when is_list(Config) ->
             ct:fail(Reason)
     end.
 
+tls13_client_tls11_server() ->
+    [{doc,"Test that a TLS 1.3 client gets old server alert from TLS 1.0 server."}].
+tls13_client_tls11_server(Config) when is_list(Config) ->
+    ClientOpts = [{versions, ['tlsv1.3']} | ssl_test_lib:ssl_options(client_cert_opts, Config)],
+    ServerOpts =  [{versions, ['tlsv1']} | ssl_test_lib:ssl_options(server_cert_opts, Config)],
+    ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, insufficient_security).
+
 %%--------------------------------------------------------------------
 %% Internal functions and callbacks -----------------------------------
 %%--------------------------------------------------------------------
-- 
2.43.0
openSUSE Build Service is sponsored by
Places