Don't signal SSL_CB_HANDSHAKE_START for TLSv1.3 post-handshake messages
authorMatt Caswell <matt@openssl.org>
Sun, 27 Jan 2019 11:00:16 +0000 (11:00 +0000)
committerMatt Caswell <matt@openssl.org>
Thu, 14 Feb 2019 16:25:44 +0000 (16:25 +0000)
commit37857e9b5258da148e5d3699b6acdf8787417eb2
treef3c684ceebcf9d58150ee7007abbda12e72756e7
parent1c31fe7eb093a8f07d32e910a46616209883cf84
Don't signal SSL_CB_HANDSHAKE_START for TLSv1.3 post-handshake messages

The original 1.1.1 design was to use SSL_CB_HANDSHAKE_START and
SSL_CB_HANDSHAKE_DONE to signal start/end of a post-handshake message
exchange in TLSv1.3. Unfortunately experience has shown that this confuses
some applications who mistake it for a TLSv1.2 renegotiation. This means
that KeyUpdate messages are not handled properly.

This commit removes the use of SSL_CB_HANDSHAKE_START and
SSL_CB_HANDSHAKE_DONE to signal the start/end of a post-handshake
message exchange. Individual post-handshake messages are still signalled in
the normal way.

This is a potentially breaking change if there are any applications already
written that expect to see these TLSv1.3 events. However, without it,
KeyUpdate is not currently usable for many applications.

Fixes #8069

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8096)

(cherry picked from commit 4af5836b55442f31795eff6c8c81ea7a1b8cf94b)
CHANGES
doc/man3/SSL_CTX_set_info_callback.pod
ssl/statem/statem.c
ssl/statem/statem_lib.c
ssl/statem/statem_srvr.c
test/sslapitest.c