Backport 3.6: dtls_server: allow unexpected message on second handshake #9655
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE happens during the handshake, don't show it as an "error". It might be an error, but it might also be a fact of life if it happens during the second or more handshake: it can be a duplicated packet or a close_notify alert from the previous connection, which is hard to avoid and harmless. Fixes Mbed-TLS#9652. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Now that dtls_server doesn't print "error" when it receives stray messages while it's waiting for a second handshake, have the tests fail if "error" is printed for some other reason. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
gilles-peskine-arm
added
component-tls
needs-ci
gilles-peskine-arm
added
needs-review
5 tasks
gilles-peskine-arm
removed
the
needs-reviewer
davidhorstmann-arm
approved these changes
Oct 2, 2024
davidhorstmann-arm
added
approved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In
dtls_server, don't treatMBEDTLS_ERR_SSL_UNEXPECTED_MESSAGEas a real error if it happens during a handshake. This error can happen if the client sends aclose_notifyalert after the server has decided to close the connection, or if there's a duplicated packet from the first connection.In testing, this error happens reliably when the client is
dtls_clientorssl_client2 dtls=1. It also happens reliably when the client isopenssl s_client -dtls_12and I type into it interactively. When the client isecho stuff | openssl s_client -dtls_12, I don't see the error locally, but it's happening with low frequency on the CI.Fixes #9652. Improvement filed as #9666.
PR checklist
dtls_serverin 2.28