If a server is not acknowledging SNI then don't reject early_data (281bf233) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

ssl/statem/extensions.c

+0 −2

Original line number	Diff line number	Diff line
		@@ -911,8 +911,6 @@ static int final_server_name(SSL *s, unsigned int context, int sent,

		case SSL_TLSEXT_ERR_NOACK:
		s->servername_done = 0;
		if (s->server && s->session->ext.hostname != NULL)
		s->ext.early_data_ok = 0;
		return 1;

		default:

+6 −5

Original line number	Diff line number	Diff line
		@@ -1961,13 +1961,11 @@ static int test_early_data_not_sent(int idx)
		return testresult;
		}

		static const char *servhostname;

		static int hostname_cb(SSL s, int al, void *arg)
		{
		const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);

		if (hostname != NULL && strcmp(hostname, servhostname) == 0)
		if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
		return SSL_TLSEXT_ERR_OK;

		return SSL_TLSEXT_ERR_NOACK;
		@@ -2024,7 +2022,6 @@ static int test_early_data_psk(int idx)
		&serverssl, &sess, 2)))
		goto end;

		servhostname = "goodhost";
		servalpn = "goodalpn";

		/*
		@@ -2069,7 +2066,11 @@ static int test_early_data_psk(int idx)
		* Set inconsistent SNI (server detected). In this case the connection
		* will succeed but reject early_data.
		*/
		servhostname = "badhost";
		SSL_SESSION_free(serverpsk);
		serverpsk = SSL_SESSION_dup(clientpsk);
		if (!TEST_ptr(serverpsk)
		\|\| !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
		goto end;
		edstatus = SSL_EARLY_DATA_REJECTED;
		readearlyres = SSL_READ_EARLY_DATA_FINISH;
		/* Fall through */