From 5848055e7b6bd16e2dfccf5273f08643be152f1f Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Wed, 3 Jan 2024 15:26:33 +0100 Subject: [PATCH] ssl: Fix legacy name handling in certificate request too Closes #7978 --- lib/ssl/src/ssl_handshake.erl | 3 ++- lib/ssl/test/tls_1_3_version_SUITE.erl | 27 ++++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 97ee2d09e7ca..74d2d1d5b825 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -1704,7 +1704,7 @@ select_hashsign(#certificate_request{ hash_sign_algos = HashSigns}, certificate_types = Types}, Cert, - SupportedHashSigns, + SupportedHashSigns0, ?TLS_1_2) -> {SignAlgo0, Param, PublicKeyAlgo0, _, _} = get_cert_params(Cert), SignAlgo = sign_algo(SignAlgo0, Param), @@ -1712,6 +1712,7 @@ select_hashsign(#certificate_request{ case is_acceptable_cert_type(PublicKeyAlgo, Types) andalso is_supported_sign(SignAlgo, HashSigns) of true -> + SupportedHashSigns = ssl_cipher:signature_schemes_1_2(SupportedHashSigns0), do_select_hashsign(HashSigns, PublicKeyAlgo, SupportedHashSigns); false -> ?ALERT_REC(?FATAL, ?INSUFFICIENT_SECURITY, no_suitable_signature_algorithm) diff --git a/lib/ssl/test/tls_1_3_version_SUITE.erl b/lib/ssl/test/tls_1_3_version_SUITE.erl index df9a2496cbfa..31192db88610 100644 --- a/lib/ssl/test/tls_1_3_version_SUITE.erl +++ b/lib/ssl/test/tls_1_3_version_SUITE.erl @@ -54,6 +54,8 @@ tls12_client_tls_server/1, legacy_tls12_client_tls_server/0, legacy_tls12_client_tls_server/1, + legacy_tls12_server_tls_client/0, + legacy_tls12_server_tls_client/1, middle_box_tls13_client/0, middle_box_tls13_client/1, middle_box_tls12_enabled_client/0, @@ -93,6 +95,7 @@ tls_1_3_1_2_tests() -> tls_client_tls12_server, tls12_client_tls_server, legacy_tls12_client_tls_server, + legacy_tls12_server_tls_client, middle_box_tls13_client, middle_box_tls12_enabled_client, middle_box_client_tls_v2_session_reused, @@ -305,6 +308,30 @@ legacy_tls12_client_tls_server(Config) when is_list(Config) -> | ssl_test_lib:ssl_options(server_cert_opts, Config)], ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). +legacy_tls12_server_tls_client() -> + [{doc,"Test that a TLS 1.3 enabled client can connect to legacy TLS-1.2 server."}]. + +legacy_tls12_server_tls_client(Config) when is_list(Config) -> + SHA = sha384, + Prop = proplists:get_value(tc_group_properties, Config), + Alg = proplists:get_value(name, Prop), + #{client_config := ClientOpts0, + server_config := ServerOpts0} = ssl_test_lib:make_cert_chains_der(Alg, [{server_chain, + [[{digest, SHA}], + [{digest, SHA}], + [{digest, SHA}]]}, + {client_chain, + [[{digest, SHA}], + [{digest, SHA}], + [{digest, SHA}]]} + ]), + + ClientOpts = [{versions, ['tlsv1.3', 'tlsv1.2']} | ClientOpts0], + ServerOpts = [{versions, ['tlsv1.2']}, {verify, verify_peer}, {fail_if_no_peer_cert, true}, + {signature_algs, [{SHA, Alg}]} + | ServerOpts0], + ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). + middle_box_tls13_client() -> [{doc,"Test that a TLS 1.3 client can connect to a 1.3 server with and without middle box compatible mode."}]. middle_box_tls13_client(Config) when is_list(Config) ->