Don't signal SSL_CB_HANDSHAKE_START for TLSv1.3 post-handshake messages
authorMatt Caswell <matt@openssl.org>
Sun, 27 Jan 2019 11:00:16 +0000 (11:00 +0000)
committerMatt Caswell <matt@openssl.org>
Thu, 14 Feb 2019 16:17:34 +0000 (16:17 +0000)
commit4af5836b55442f31795eff6c8c81ea7a1b8cf94b
tree9c0e2318753afbc715e71ad91dbf557205a2e4a5
parent3c83c5ba4f6502c708b7a5f55c98a10e312668da
Don't signal SSL_CB_HANDSHAKE_START for TLSv1.3 post-handshake messages

The original 1.1.1 design was to use SSL_CB_HANDSHAKE_START and
SSL_CB_HANDSHAKE_DONE to signal start/end of a post-handshake message
exchange in TLSv1.3. Unfortunately experience has shown that this confuses
some applications who mistake it for a TLSv1.2 renegotiation. This means
that KeyUpdate messages are not handled properly.

This commit removes the use of SSL_CB_HANDSHAKE_START and
SSL_CB_HANDSHAKE_DONE to signal the start/end of a post-handshake
message exchange. Individual post-handshake messages are still signalled in
the normal way.

This is a potentially breaking change if there are any applications already
written that expect to see these TLSv1.3 events. However, without it,
KeyUpdate is not currently usable for many applications.

Fixes #8069

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8096)
CHANGES
doc/man3/SSL_CTX_set_info_callback.pod
ssl/statem/statem.c
ssl/statem/statem_lib.c
ssl/statem/statem_srvr.c
test/sslapitest.c