ssl: Fix legacy name handling in certificate request too

Closes erlang#7978
emqx · Jan 10, 2024 · 5848055 · 5848055
1 parent 0ad4972
commit 5848055
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
@@ -1704,14 +1704,15 @@ select_hashsign(#certificate_request{
                                             hash_sign_algos = HashSigns},
                    certificate_types = Types},
                 Cert,
-                SupportedHashSigns,
+                SupportedHashSigns0,
 		?TLS_1_2) ->
     {SignAlgo0, Param, PublicKeyAlgo0, _, _} = get_cert_params(Cert),
     SignAlgo = sign_algo(SignAlgo0, Param),
     PublicKeyAlgo = ssl_certificate:public_key_type(PublicKeyAlgo0),
     case is_acceptable_cert_type(PublicKeyAlgo, Types) andalso
         is_supported_sign(SignAlgo, HashSigns) of
 	true ->
+            SupportedHashSigns = ssl_cipher:signature_schemes_1_2(SupportedHashSigns0),
             do_select_hashsign(HashSigns, PublicKeyAlgo, SupportedHashSigns);
 	false ->
 	    ?ALERT_REC(?FATAL, ?INSUFFICIENT_SECURITY, no_suitable_signature_algorithm)

diff --git a/lib/ssl/test/tls_1_3_version_SUITE.erl b/lib/ssl/test/tls_1_3_version_SUITE.erl
@@ -54,6 +54,8 @@
          tls12_client_tls_server/1,
          legacy_tls12_client_tls_server/0,
          legacy_tls12_client_tls_server/1,
+         legacy_tls12_server_tls_client/0,
+         legacy_tls12_server_tls_client/1,
          middle_box_tls13_client/0,
          middle_box_tls13_client/1,
          middle_box_tls12_enabled_client/0,
@@ -93,6 +95,7 @@ tls_1_3_1_2_tests() ->
      tls_client_tls12_server,
      tls12_client_tls_server,
      legacy_tls12_client_tls_server,
+     legacy_tls12_server_tls_client,
      middle_box_tls13_client,
      middle_box_tls12_enabled_client,
      middle_box_client_tls_v2_session_reused,
@@ -305,6 +308,30 @@ legacy_tls12_client_tls_server(Config) when is_list(Config) ->
                   | ssl_test_lib:ssl_options(server_cert_opts, Config)],
     ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config).
 
+legacy_tls12_server_tls_client() ->
+    [{doc,"Test that a TLS 1.3 enabled client can connect to legacy TLS-1.2 server."}].
+
+legacy_tls12_server_tls_client(Config) when is_list(Config) ->
+    SHA = sha384,
+    Prop = proplists:get_value(tc_group_properties, Config),
+    Alg = proplists:get_value(name, Prop),
+    #{client_config := ClientOpts0, 
+      server_config := ServerOpts0} = ssl_test_lib:make_cert_chains_der(Alg, [{server_chain,
+                                                                               [[{digest, SHA}],
+                                                                                [{digest, SHA}],
+                                                                                [{digest, SHA}]]},
+                                                                              {client_chain,
+                                                                               [[{digest, SHA}],
+                                                                                [{digest, SHA}],
+                                                                                [{digest, SHA}]]}
+                                                                             ]),
+
+    ClientOpts = [{versions, ['tlsv1.3', 'tlsv1.2']} | ClientOpts0],
+    ServerOpts =  [{versions, ['tlsv1.2']}, {verify, verify_peer}, {fail_if_no_peer_cert, true},
+                   {signature_algs, [{SHA, Alg}]}
+                  | ServerOpts0],
+    ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config).
+
 middle_box_tls13_client() ->
     [{doc,"Test that a TLS 1.3 client can connect to a 1.3 server with and without middle box compatible mode."}].
 middle_box_tls13_client(Config) when is_list(Config) ->