Backport 3.6: dtls_server: allow unexpected message on second handshake #9655
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In
dtls_server
, don't treatMBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
as a real error if it happens during a handshake. This error can happen if the client sends aclose_notify
alert after the server has decided to close the connection, or if there's a duplicated packet from the first connection.In testing, this error happens reliably when the client is
dtls_client
orssl_client2 dtls=1
. It also happens reliably when the client isopenssl s_client -dtls_12
and I type into it interactively. When the client isecho stuff | openssl s_client -dtls_12
, I don't see the error locally, but it's happening with low frequency on the CI.Fixes #9652. Improvement filed as #9666.
PR checklist
dtls_server
in 2.28