diff options
author | Andreas Schultz <[email protected]> | 2017-07-21 15:09:35 +0200 |
---|---|---|
committer | Andreas Schultz <[email protected]> | 2017-07-21 15:09:35 +0200 |
commit | 9214be49bc81a4f9ce9def091f60df8670547a88 (patch) | |
tree | ea343f32dc658fb230c9d2f32e5c7c7c1f44fee3 /lib/ssl/src/ssl_connection.erl | |
parent | 33055f145d02c744e533b15df27f22e7d52d9148 (diff) | |
download | otp-9214be49bc81a4f9ce9def091f60df8670547a88.tar.gz otp-9214be49bc81a4f9ce9def091f60df8670547a88.tar.bz2 otp-9214be49bc81a4f9ce9def091f60df8670547a88.zip |
ssl: don't sent client certificate with anon ciphers
whatever the SSL options say, when we negotiated a anonymous,
PSK or SRP cipher suites, client certificates and certificate
requests are not permitted.
Diffstat (limited to 'lib/ssl/src/ssl_connection.erl')
-rw-r--r-- | lib/ssl/src/ssl_connection.erl | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index 0163d08f2a..eaa0058337 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -542,6 +542,15 @@ certify(internal, #server_key_exchange{exchange_keys = Keys}, end end; +certify(internal, #certificate_request{}, + #state{role = client, negotiated_version = Version, + key_algorithm = Alg} = State, _) + when Alg == dh_anon; Alg == ecdh_anon; + Alg == psk; Alg == dhe_psk; Alg == rsa_psk; + Alg == srp_dss; Alg == srp_rsa; Alg == srp_anon -> + handle_own_alert(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE), + Version, certify, State); + certify(internal, #certificate_request{} = CertRequest, #state{session = #session{own_certificate = Cert}, role = client, @@ -1672,6 +1681,12 @@ rsa_psk_key_exchange(Version, PskIdentity, PremasterSecret, rsa_psk_key_exchange(_, _, _, _) -> throw (?ALERT_REC(?FATAL,?HANDSHAKE_FAILURE, pub_key_is_not_rsa)). +request_client_cert(#state{key_algorithm = Alg} = State, _) + when Alg == dh_anon; Alg == ecdh_anon; + Alg == psk; Alg == dhe_psk; Alg == rsa_psk; + Alg == srp_dss; Alg == srp_rsa; Alg == srp_anon -> + State; + request_client_cert(#state{ssl_options = #ssl_options{verify = verify_peer, signature_algs = SupportedHashSigns}, connection_states = ConnectionStates0, |