diff options
author | Ingela Anderton Andin <[email protected]> | 2017-06-13 17:58:52 +0200 |
---|---|---|
committer | Ingela Anderton Andin <[email protected]> | 2017-06-13 17:58:52 +0200 |
commit | 478205d32667dd7575d70d412d96c8c695168c46 (patch) | |
tree | e5c97d54672d96c814ccaf8435d3abe574a9d819 /lib/ssl/src | |
parent | 698068c2322d6032f46487f56802246198e576f2 (diff) | |
download | otp-478205d32667dd7575d70d412d96c8c695168c46.tar.gz otp-478205d32667dd7575d70d412d96c8c695168c46.tar.bz2 otp-478205d32667dd7575d70d412d96c8c695168c46.zip |
dtls: Make HelloVerifyRequest version adhere to RFC
ERL-434
RFC6347 says about hello_verify_request version field as follow
https://tools.ietf.org/html/rfc6347#page-16
The server_version field has the same syntax as in TLS. However, in
order to avoid the requirement to do version negotiation in the
initial handshake, DTLS 1.2 server implementations SHOULD use DTLS
version 1.0 regardless of the version of TLS that is expected to be
negotiated.
But current DTLS server responses DTLS1.2 instead of DTLS1.0.
Diffstat (limited to 'lib/ssl/src')
-rw-r--r-- | lib/ssl/src/dtls_connection.erl | 8 | ||||
-rw-r--r-- | lib/ssl/src/dtls_handshake.hrl | 1 |
2 files changed, 8 insertions, 1 deletions
diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl index f338471829..5f65394b7a 100644 --- a/lib/ssl/src/dtls_connection.erl +++ b/lib/ssl/src/dtls_connection.erl @@ -311,7 +311,13 @@ hello(internal, #client_hello{cookie = <<>>, protocol_specific = #{current_cookie_secret := Secret}} = State0) -> {ok, {IP, Port}} = dtls_socket:peername(Transport, Socket), Cookie = dtls_handshake:cookie(Secret, IP, Port, Hello), - VerifyRequest = dtls_handshake:hello_verify_request(Cookie, Version), + %% FROM RFC 6347 regarding HelloVerifyRequest message: + %% The server_version field has the same syntax as in TLS. However, in + %% order to avoid the requirement to do version negotiation in the + %% initial handshake, DTLS 1.2 server implementations SHOULD use DTLS + %% version 1.0 regardless of the version of TLS that is expected to be + %% negotiated. + VerifyRequest = dtls_handshake:hello_verify_request(Cookie, ?HELLO_VERIFY_REQUEST_VERSION), State1 = prepare_flight(State0#state{negotiated_version = Version}), {State2, Actions} = send_handshake(VerifyRequest, State1), {Record, State} = next_record(State2), diff --git a/lib/ssl/src/dtls_handshake.hrl b/lib/ssl/src/dtls_handshake.hrl index 0a980c5f31..24678cba0e 100644 --- a/lib/ssl/src/dtls_handshake.hrl +++ b/lib/ssl/src/dtls_handshake.hrl @@ -29,6 +29,7 @@ -include("ssl_handshake.hrl"). %% Common TLS and DTLS records and Constantes -define(HELLO_VERIFY_REQUEST, 3). +-define(HELLO_VERIFY_REQUEST_VERSION, {254, 255}). -record(client_hello, { client_version, |