Merge branch 'ingela/ssl/client-has-no-cert/ERL-599/OTP-15050' into maint-20

* ingela/ssl/client-has-no-cert/ERL-599/OTP-15050:
  ssl: Prepare for release
  ssl: Proper handling of clients that choose to send an empty answer to a certificate request

1 files changed, 16 insertions, 0 deletions

diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 63fae78195..64ecc29b97 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -709,6 +709,22 @@ certify(internal, #server_key_exchange{exchange_keys = Keys},
 						Version, ?FUNCTION_NAME, State)
 	    end
     end;
+certify(internal, #certificate_request{},
+	#state{role = client, negotiated_version = Version,
+               key_algorithm = Alg} = State, _)
+  when Alg == dh_anon; Alg == ecdh_anon;
+       Alg == psk; Alg == dhe_psk; Alg == ecdhe_psk; Alg == rsa_psk;
+       Alg == srp_dss; Alg == srp_rsa; Alg == srp_anon ->
+    handle_own_alert(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE),
+                     Version, ?FUNCTION_NAME, State);
+certify(internal, #certificate_request{},
+	#state{session = #session{own_certificate = undefined},
+	       role = client} = State0, Connection) ->
+    %% The client does not have a certificate and will send an empty reply, the server may fail 
+    %% or accept the connection by its own preference. No signature algorihms needed as there is
+    %% no certificate to verify.
+    {Record, State} = Connection:next_record(State0),
+    Connection:next_event(?FUNCTION_NAME, Record, State#state{client_certificate_requested = true});
 certify(internal, #certificate_request{} = CertRequest,
 	#state{session = #session{own_certificate = Cert},
 	       role = client,