ssl: Fix handshake pause in TLS 1.3

2 files changed, 14 insertions, 1 deletions

diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 0585aebcb2..bd2efa9fbb 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1508,8 +1508,12 @@ extension_value(#signature_algorithms_cert{signature_scheme_list = Schemes}) ->
     Schemes;
 extension_value(#key_share_client_hello{client_shares = ClientShares}) ->
     ClientShares;
+extension_value(#key_share_server_hello{server_share = ServerShare}) ->
+    ServerShare;
 extension_value(#client_hello_versions{versions = Versions}) ->
-    Versions.
+    Versions;
+extension_value(#server_hello_selected_version{selected_version = SelectedVersion}) ->
+    SelectedVersion.
 
 
 %%--------------------------------------------------------------------
diff --git a/lib/ssl/src/tls_record_1_3.erl b/lib/ssl/src/tls_record_1_3.erl
index 74321a1ae2..d713062284 100644
--- a/lib/ssl/src/tls_record_1_3.erl
+++ b/lib/ssl/src/tls_record_1_3.erl
@@ -138,6 +138,15 @@ decode_cipher_text(#ssl_tls{type = ?ALERT,
     {#ssl_tls{type = ?ALERT,
               version = {3,4}, %% Internally use real version
               fragment = <<2,47>>}, ConnectionStates0};
+%% TLS 1.3 server can receive a User Cancelled Alert when handshake is
+%% paused and then cancelled on the client side.
+decode_cipher_text(#ssl_tls{type = ?ALERT,
+                            version = ?LEGACY_VERSION,
+                            fragment = <<2,90>>},
+		   ConnectionStates0) ->
+    {#ssl_tls{type = ?ALERT,
+              version = {3,4}, %% Internally use real version
+              fragment = <<2,90>>}, ConnectionStates0};
 %% RFC8446 - TLS 1.3
 %% D.4.  Middlebox Compatibility Mode
 %%    -  If not offering early data, the client sends a dummy