Unverified Commit b939bc47 authored by Christian Heimes's avatar Christian Heimes Committed by Daniel Stenberg
Browse files

OpenSSL: enable TLS 1.3 post-handshake auth 

OpenSSL 1.1.1 requires clients to opt-in for post-handshake
authentication.

Fixes: https://github.com/curl/curl/issues/3026


Signed-off-by: default avatarChristian Heimes <christian@python.org>

Closes https://github.com/curl/curl/pull/3027
parent 55b51b8c

lib/vtls/openssl.c

+6 −0
Original line number Diff line number Diff line
@@ -177,6 +177,7 @@ 
     !defined(LIBRESSL_VERSION_NUMBER) &&       \

     !defined(OPENSSL_IS_BORINGSSL))

#define HAVE_SSL_CTX_SET_CIPHERSUITES

#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH

#endif



#if defined(LIBRESSL_VERSION_NUMBER)
@@ -2467,6 +2468,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) 
  }

#endif



#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH

  /* OpenSSL 1.1.1 requires clients to opt-in for PHA */

  SSL_CTX_set_post_handshake_auth(BACKEND->ctx, 1);

#endif



#ifdef USE_TLS_SRP

  if(ssl_authtype == CURL_TLSAUTH_SRP) {

    char * const ssl_username = SSL_SET_OPTION(username);