diff options
author | Péter Dimitrov <[email protected]> | 2019-06-14 15:53:47 +0200 |
---|---|---|
committer | Péter Dimitrov <[email protected]> | 2019-06-14 15:53:47 +0200 |
commit | dca65c70badd3b33903a0535ef2366eecc3e12dc (patch) | |
tree | 6989f3cd54aacc6fc37c42b8169735b574398091 /lib/ssl/src/tls_v1.erl | |
parent | b4fb2e5669acb02697d9a9ab168eb0fbff6f370c (diff) | |
download | otp-dca65c70badd3b33903a0535ef2366eecc3e12dc.tar.gz otp-dca65c70badd3b33903a0535ef2366eecc3e12dc.tar.bz2 otp-dca65c70badd3b33903a0535ef2366eecc3e12dc.zip |
ssl: Improve handling of signature algorithms
TLS 1.2 ClientHello caused handshake failure in the TLS 1.2 server
if the signature_algorithms_cert extension contained legacy algorithms.
Update TLS 1.2 server to properly handle legacy signature algorithms
in the signature_algorithms_cert extension.
Update TLS 1.3 client so that it can send legacy algorithms in its
signature_algorithms_cert extension.
Diffstat (limited to 'lib/ssl/src/tls_v1.erl')
-rw-r--r-- | lib/ssl/src/tls_v1.erl | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl index 27cd5765e5..f7c8c770ae 100644 --- a/lib/ssl/src/tls_v1.erl +++ b/lib/ssl/src/tls_v1.erl @@ -606,8 +606,26 @@ signature_schemes(Version, SignatureSchemes) when is_tuple(Version) Acc end; %% Special clause for filtering out the legacy hash-sign tuples. - (_ , Acc) -> - Acc + ({Hash, dsa = Sign} = Alg, Acc) -> + case proplists:get_bool(dss, PubKeys) + andalso proplists:get_bool(Hash, Hashes) + andalso is_pair(Hash, Sign, Hashes) + of + true -> + [Alg | Acc]; + false -> + Acc + end; + ({Hash, Sign} = Alg, Acc) -> + case proplists:get_bool(Sign, PubKeys) + andalso proplists:get_bool(Hash, Hashes) + andalso is_pair(Hash, Sign, Hashes) + of + true -> + [Alg | Acc]; + false -> + Acc + end end, Supported = lists:foldl(Fun, [], SignatureSchemes), lists:reverse(Supported); |