aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src
diff options
context:
space:
mode:
authorAndreas Schultz <[email protected]>2017-07-21 15:09:35 +0200
committerAndreas Schultz <[email protected]>2017-07-21 15:09:35 +0200
commit9214be49bc81a4f9ce9def091f60df8670547a88 (patch)
treeea343f32dc658fb230c9d2f32e5c7c7c1f44fee3 /lib/ssl/src
parent33055f145d02c744e533b15df27f22e7d52d9148 (diff)
downloadotp-9214be49bc81a4f9ce9def091f60df8670547a88.tar.gz
otp-9214be49bc81a4f9ce9def091f60df8670547a88.tar.bz2
otp-9214be49bc81a4f9ce9def091f60df8670547a88.zip
ssl: don't sent client certificate with anon ciphers
whatever the SSL options say, when we negotiated a anonymous, PSK or SRP cipher suites, client certificates and certificate requests are not permitted.
Diffstat (limited to 'lib/ssl/src')
-rw-r--r--lib/ssl/src/ssl_connection.erl15
1 files changed, 15 insertions, 0 deletions
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 0163d08f2a..eaa0058337 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -542,6 +542,15 @@ certify(internal, #server_key_exchange{exchange_keys = Keys},
end
end;
+certify(internal, #certificate_request{},
+ #state{role = client, negotiated_version = Version,
+ key_algorithm = Alg} = State, _)
+ when Alg == dh_anon; Alg == ecdh_anon;
+ Alg == psk; Alg == dhe_psk; Alg == rsa_psk;
+ Alg == srp_dss; Alg == srp_rsa; Alg == srp_anon ->
+ handle_own_alert(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE),
+ Version, certify, State);
+
certify(internal, #certificate_request{} = CertRequest,
#state{session = #session{own_certificate = Cert},
role = client,
@@ -1672,6 +1681,12 @@ rsa_psk_key_exchange(Version, PskIdentity, PremasterSecret,
rsa_psk_key_exchange(_, _, _, _) ->
throw (?ALERT_REC(?FATAL,?HANDSHAKE_FAILURE, pub_key_is_not_rsa)).
+request_client_cert(#state{key_algorithm = Alg} = State, _)
+ when Alg == dh_anon; Alg == ecdh_anon;
+ Alg == psk; Alg == dhe_psk; Alg == rsa_psk;
+ Alg == srp_dss; Alg == srp_rsa; Alg == srp_anon ->
+ State;
+
request_client_cert(#state{ssl_options = #ssl_options{verify = verify_peer,
signature_algs = SupportedHashSigns},
connection_states = ConnectionStates0,