File 0663-ssl-Improve-error-handling-of-client-certificate-mes.patch of Package erlang
From 98037b81c1e723cc95045e27789fbb82d7ed8391 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Mon, 17 Nov 2025 11:40:58 +0100
Subject: [PATCH] ssl: Improve error handling of client certificate messages
Make sure to check pre-condition as well as post-condition for
client certificate messages.
---
lib/ssl/src/tls_dtls_connection.erl | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/lib/ssl/src/tls_dtls_connection.erl b/lib/ssl/src/tls_dtls_connection.erl
index dd21238dd4..ab38dca55c 100644
--- a/lib/ssl/src/tls_dtls_connection.erl
+++ b/lib/ssl/src/tls_dtls_connection.erl
@@ -321,6 +321,7 @@ certify(internal, #certificate{asn1_certificates = []},
certify(internal, #certificate{asn1_certificates = []},
#state{static_env = #static_env{role = server,
protocol_cb = Connection},
+ client_certificate_status = requested,
ssl_options = #{verify := verify_peer,
fail_if_no_peer_cert := false}} =
State0) ->
@@ -330,9 +331,10 @@ certify(internal, #certificate{},
ssl_options = #{verify := verify_none}}) ->
throw(?ALERT_REC(?FATAL,?UNEXPECTED_MESSAGE, unrequested_certificate));
certify(internal, #certificate{},
- #state{static_env = #static_env{protocol_cb = Connection},
- handshake_env = #handshake_env{
- ocsp_stapling_state = #{ocsp_expect := staple}}} = State) ->
+ #state{client_certificate_status = requested,
+ static_env = #static_env{protocol_cb = Connection},
+ handshake_env =
+ #handshake_env{ocsp_stapling_state = #{ocsp_expect := staple}}} = State) ->
Connection:next_event(wait_ocsp_stapling, no_record, State, [{postpone, true}]);
certify(internal, #certificate{asn1_certificates = [Peer|_]} = Cert,
#state{static_env = #static_env{
--
2.51.0
