From ea5370d4a2df4956b32f66007c820e4578328094 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 15 Sep 2015 15:11:28 +0200 Subject: [PATCH] Don't allow reconnect during handshake Especially for resumed handshake, it's entirely possible for an epoch=0 ClientHello to be retransmitted or arrive so late that the server is already at epoch=1. There is no good way to detect whether it's that or a reconnect. However: - a late ClientHello seems more likely that client going down and then up again in the middle of a handshake - even if that's the case, we'll time out on that handshake soon enough - we don't want to break handshake flows that used to work So the safest option is to not treat that as a reconnect. --- library/ssl_tls.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 2abd18b05..463a6b115 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3542,6 +3542,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) * fact that the record header len is 13 instead. */ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && + ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && rec_epoch == 0 && ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && ssl->in_left > 13 &&