Merge branch 'ia/pr/678/OTP-1267'

* ia/pr/678/OTP-1267: Revert "Add workaround for problems with s_client defaults" ssl: Add unit test case ssl: Ignore signature_algorithm (TLS 1.2 extension) sent to TLS 1.0/1 server
author: Ingela Anderton Andin <[email protected]> 2015-04-22 09:33:49 +0200
committer: Ingela Anderton Andin <[email protected]> 2015-04-22 09:33:49 +0200
commit: 4bbc18a0f382cd27e3a91d5e195a2a921fdd28f1 (patch)
tree: a189aa7d88ec73e01df515b66a433257c8fa507a /lib/ssl/src/ssl_handshake.erl
parent: c72bf109ab015815ac828e6faf823ec721cea5da (diff)
parent: 5edda23ee854038c9d4bcddd0d676ee0ffd20da5 (diff)
download: otp-4bbc18a0f382cd27e3a91d5e195a2a921fdd28f1.tar.gz
otp-4bbc18a0f382cd27e3a91d5e195a2a921fdd28f1.tar.bz2
otp-4bbc18a0f382cd27e3a91d5e195a2a921fdd28f1.zip
1 files changed, 9 insertions, 6 deletions
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index f29aa00a60..b538fefe53 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -578,11 +578,10 @@ prf({3,_N}, Secret, Label, Seed, WantedLength) ->
 %%--------------------------------------------------------------------
 select_hashsign(_, undefined, _Version) ->
     {null, anon};
-select_hashsign(undefined,  Cert, Version) ->
-    #'OTPCertificate'{tbsCertificate = TBSCert} = public_key:pkix_decode_cert(Cert, otp),
-    #'OTPSubjectPublicKeyInfo'{algorithm = {_,Algo, _}} = TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo,
-    select_hashsign_algs(undefined, Algo, Version);
-select_hashsign(#hash_sign_algos{hash_sign_algos = HashSigns}, Cert, Version) ->
+%% The signature_algorithms extension was introduced with TLS 1.2. Ignore it if we have
+%% negotiated a lower version.
+select_hashsign(#hash_sign_algos{hash_sign_algos = HashSigns}, Cert, {Major, Minor} = Version)
+  when Major >= 3 andalso Minor >= 3 ->
     #'OTPCertificate'{tbsCertificate = TBSCert} =public_key:pkix_decode_cert(Cert, otp),
     #'OTPSubjectPublicKeyInfo'{algorithm = {_,Algo, _}} = TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo,
     DefaultHashSign = {_, Sign} = select_hashsign_algs(undefined, Algo, Version),
@@ -600,7 +599,11 @@ select_hashsign(#hash_sign_algos{hash_sign_algos = HashSigns}, Cert, Version) ->
 	    DefaultHashSign;
 	[HashSign| _] ->
 	    HashSign
-    end.
+    end;
+select_hashsign(_, Cert, Version) ->
+    #'OTPCertificate'{tbsCertificate = TBSCert} = public_key:pkix_decode_cert(Cert, otp),
+    #'OTPSubjectPublicKeyInfo'{algorithm = {_,Algo, _}} = TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo,
+    select_hashsign_algs(undefined, Algo, Version).
 
 %%--------------------------------------------------------------------
 -spec select_hashsign_algs(#hash_sign_algos{}| undefined, oid(), ssl_record:ssl_version()) ->
author	Ingela Anderton Andin <[email protected]>	2015-04-22 09:33:49 +0200
committer	Ingela Anderton Andin <[email protected]>	2015-04-22 09:33:49 +0200
commit	4bbc18a0f382cd27e3a91d5e195a2a921fdd28f1 (patch)
tree	a189aa7d88ec73e01df515b66a433257c8fa507a /lib/ssl/src/ssl_handshake.erl
parent	c72bf109ab015815ac828e6faf823ec721cea5da (diff)
parent	5edda23ee854038c9d4bcddd0d676ee0ffd20da5 (diff)
download	otp-4bbc18a0f382cd27e3a91d5e195a2a921fdd28f1.tar.gz otp-4bbc18a0f382cd27e3a91d5e195a2a921fdd28f1.tar.bz2 otp-4bbc18a0f382cd27e3a91d5e195a2a921fdd28f1.zip