From c44477a5f174343673b429a17b518fb0697a0d22 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Thu, 26 Apr 2018 16:58:28 +0200
Subject: ssl: Proper handling of clients that choose to send an empty answer
 to a certificate request

Solves ERL-599
---
 lib/ssl/src/ssl_connection.erl | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'lib/ssl/src/ssl_connection.erl')

diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 63fae78195..64ecc29b97 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -709,6 +709,22 @@ certify(internal, #server_key_exchange{exchange_keys = Keys},
 						Version, ?FUNCTION_NAME, State)
 	    end
     end;
+certify(internal, #certificate_request{},
+	#state{role = client, negotiated_version = Version,
+               key_algorithm = Alg} = State, _)
+  when Alg == dh_anon; Alg == ecdh_anon;
+       Alg == psk; Alg == dhe_psk; Alg == ecdhe_psk; Alg == rsa_psk;
+       Alg == srp_dss; Alg == srp_rsa; Alg == srp_anon ->
+    handle_own_alert(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE),
+                     Version, ?FUNCTION_NAME, State);
+certify(internal, #certificate_request{},
+	#state{session = #session{own_certificate = undefined},
+	       role = client} = State0, Connection) ->
+    %% The client does not have a certificate and will send an empty reply, the server may fail 
+    %% or accept the connection by its own preference. No signature algorihms needed as there is
+    %% no certificate to verify.
+    {Record, State} = Connection:next_record(State0),
+    Connection:next_event(?FUNCTION_NAME, Record, State#state{client_certificate_requested = true});
 certify(internal, #certificate_request{} = CertRequest,
 	#state{session = #session{own_certificate = Cert},
 	       role = client,
-- 
cgit v1.2.3