From f42c07680f4695d746c68c916aa1c8e07c52b30f Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Fri, 27 Sep 2024 14:17:14 +0200 Subject: [PATCH] ssl: Old server should ignore new extension --- lib/ssl/src/tls_handshake.erl | 4 ++-- lib/ssl/test/tls_1_3_version_SUITE.erl | 13 ++++++++++++- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/lib/ssl/src/tls_handshake.erl b/lib/ssl/src/tls_handshake.erl index e99bbecbe87c..837943d83e6c 100644 --- a/lib/ssl/src/tls_handshake.erl +++ b/lib/ssl/src/tls_handshake.erl @@ -242,8 +242,8 @@ hello(#client_hello{client_version = _ClientVersion, extensions = #{client_hello_versions := #client_hello_versions{versions = ClientVersions} }} = Hello, - #{versions := Versions} = SslOpts, - Info, Renegotiation) -> + #{versions := Versions = [Version |_]} = SslOpts, + Info, Renegotiation) when ?TLS_GTE(Version, ?TLS_1_2)-> try Version = ssl_handshake:select_supported_version(ClientVersions, Versions), do_hello(Version, Versions, CipherSuites, Hello, SslOpts, Info, Renegotiation) diff --git a/lib/ssl/test/tls_1_3_version_SUITE.erl b/lib/ssl/test/tls_1_3_version_SUITE.erl index 2ba02d006ebb..5e5d00be55ee 100644 --- a/lib/ssl/test/tls_1_3_version_SUITE.erl +++ b/lib/ssl/test/tls_1_3_version_SUITE.erl @@ -56,6 +56,8 @@ legacy_tls12_client_tls_server/1, legacy_tls12_server_tls_client/0, legacy_tls12_server_tls_client/1, + tls13_client_tls11_server/0, + tls13_client_tls11_server/1, middle_box_tls13_client/0, middle_box_tls13_client/1, middle_box_tls12_enabled_client/0, @@ -107,7 +109,9 @@ legacy_tests() -> tls_client_tls12_server, tls10_client_tls_server, tls11_client_tls_server, - tls12_client_tls_server]. + tls12_client_tls_server, + tls13_client_tls11_server + ]. init_per_suite(Config) -> catch crypto:stop(), @@ -402,6 +406,13 @@ renegotiate_error(Config) when is_list(Config) -> ct:fail(Reason) end. +tls13_client_tls11_server() -> + [{doc,"Test that a TLS 1.3 client gets old server alert from TLS 1.0 server."}]. +tls13_client_tls11_server(Config) when is_list(Config) -> + ClientOpts = [{versions, ['tlsv1.3']} | ssl_test_lib:ssl_options(client_cert_opts, Config)], + ServerOpts = [{versions, ['tlsv1']} | ssl_test_lib:ssl_options(server_cert_opts, Config)], + ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, insufficient_security). + %%-------------------------------------------------------------------- %% Internal functions and callbacks ----------------------------------- %%--------------------------------------------------------------------