Merge branch 'ia/ssl/CSS/OTP-11975' into maint

* ia/ssl/CSS/OTP-11975:
  ssl: Make sure change cipher spec is correctly handled

1 files changed, 7 insertions, 3 deletions

diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl
index 2ab085321a..26de51985a 100644
--- a/lib/ssl/src/tls_connection.erl
+++ b/lib/ssl/src/tls_connection.erl
@@ -444,12 +444,16 @@ next_state(_, StateName, #ssl_tls{type = ?APPLICATION_DATA, fragment = Data}, St
    	    next_state(StateName, StateName, Record, State)
     end;
 next_state(Current, Next, #ssl_tls{type = ?CHANGE_CIPHER_SPEC, fragment = <<1>>} = 
- 	   _ChangeCipher, 
- 	   #state{connection_states = ConnectionStates0} = State0) ->
+	       _ChangeCipher, 
+ 	   #state{connection_states = ConnectionStates0} = State0) 
+  when Next == cipher; Next == abbreviated ->
     ConnectionStates1 =
 	ssl_record:activate_pending_connection_state(ConnectionStates0, read),
     {Record, State} = next_record(State0#state{connection_states = ConnectionStates1}),
-    next_state(Current, Next, Record, State);
+    next_state(Current, Next, Record, State#state{expecting_finished = true});
+next_state(Current, _Next, #ssl_tls{type = ?CHANGE_CIPHER_SPEC, fragment = <<1>>} = 
+ 	       _ChangeCipher, #state{negotiated_version = Version} = State) ->
+    handle_own_alert(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE), Version, Current, State);
 next_state(Current, Next, #ssl_tls{type = _Unknown}, State0) ->
     %% Ignore unknown type 
     {Record, State} = next_record(State0),