Don't send a status_request extension in a CertificateRequest message
authorMatt Caswell <matt@openssl.org>
Thu, 5 Sep 2019 15:43:57 +0000 (16:43 +0100)
committerMatt Caswell <matt@openssl.org>
Fri, 6 Sep 2019 09:12:51 +0000 (10:12 +0100)
commitf8affa299534532b42b09eac5457f8bbf5216941
tree7da3a1300d4fa86cc9ab7e7b6fc431c7a370c216
parent5d16346679d72a4770ec01508ead7f61cf7cbf34
Don't send a status_request extension in a CertificateRequest message

If a TLSv1.3 server configured to respond to the status_request extension
also attempted to send a CertificateRequest then it was incorrectly
inserting a non zero length status_request extension into that message.

The TLSv1.3 RFC does allow that extension in that message but it must
always be zero length.

In fact we should not be sending the extension at all in that message
because we don't support it.

Fixes #9767

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9780)

(cherry picked from commit debb64a0ca43969eb3f043aa8895a4faa7f12b6e)
ssl/statem/extensions_srvr.c