aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src
diff options
context:
space:
mode:
authorBram Verburg <[email protected]>2018-02-28 16:05:20 +0200
committerIngela Anderton Andin <[email protected]>2018-03-06 11:15:46 +0100
commit99656a1e3ebf5ca4bb2ad63a66a0308d51243c53 (patch)
tree237af30b8d17cfbf3420882d571a673f1d7da254 /lib/ssl/src
parentb8b3abfacb40d147ec834cc18742b356d6b03236 (diff)
downloadotp-99656a1e3ebf5ca4bb2ad63a66a0308d51243c53.tar.gz
otp-99656a1e3ebf5ca4bb2ad63a66a0308d51243c53.tar.bz2
otp-99656a1e3ebf5ca4bb2ad63a66a0308d51243c53.zip
ssl: Fix anonymous suites regression and protocol error
Anonymous cipher suites were broken altogether, and there was an earlier issue where the server would send a signature in the server key exchange if a certificate was configured, even if an anonymous suite was actually negotiated. Backport of PR-1729
Diffstat (limited to 'lib/ssl/src')
-rw-r--r--lib/ssl/src/ssl_handshake.erl9
1 files changed, 5 insertions, 4 deletions
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 5e687b1bb7..7efb89bfae 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -755,9 +755,8 @@ decode_suites('3_bytes', Dec) ->
%%====================================================================
available_suites(UserSuites, Version) ->
- lists:filtermap(fun(Suite) ->
- lists:member(Suite, ssl_cipher:all_suites(Version))
- end, UserSuites).
+ VersionSuites = ssl_cipher:all_suites(Version) ++ ssl_cipher:anonymous_suites(Version),
+ lists:filtermap(fun(Suite) -> lists:member(Suite, VersionSuites) end, UserSuites).
available_suites(ServerCert, UserSuites, Version, undefined, Curve) ->
ssl_cipher:filter(ServerCert, available_suites(UserSuites, Version))
@@ -1025,7 +1024,9 @@ select_curve(undefined, _, _) ->
%%
%% Description: Handles signature_algorithms hello extension (server)
%%--------------------------------------------------------------------
-select_hashsign(_, undefined, _, _, _Version) ->
+select_hashsign(_, _, KeyExAlgo, _, _Version) when KeyExAlgo == dh_anon;
+ KeyExAlgo == ecdh_anon;
+ KeyExAlgo == srp_anon ->
{null, anon};
%% The signature_algorithms extension was introduced with TLS 1.2. Ignore it if we have
%% negotiated a lower version.