d73b74
From bb8ad3da3fb4ab3f6556daa1f67b259c12a3c7de Mon Sep 17 00:00:00 2001
d73b74
From: Christian Heimes <christian@python.org>
d73b74
Date: Fri, 21 Sep 2018 10:37:43 +0200
d73b74
Subject: [PATCH] OpenSSL: enable TLS 1.3 post-handshake auth
d73b74
d73b74
OpenSSL 1.1.1 requires clients to opt-in for post-handshake
d73b74
authentication.
d73b74
d73b74
Fixes: https://github.com/curl/curl/issues/3026
d73b74
Signed-off-by: Christian Heimes <christian@python.org>
d73b74
d73b74
Closes https://github.com/curl/curl/pull/3027
d73b74
d73b74
Upstream-commit: b939bc47b27cd57c6ebb852ad653933e4124b452
d73b74
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
d73b74
---
d73b74
 lib/vtls/openssl.c | 6 ++++++
d73b74
 1 file changed, 6 insertions(+)
d73b74
d73b74
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
d73b74
index a487f55..78970d1 100644
d73b74
--- a/lib/vtls/openssl.c
d73b74
+++ b/lib/vtls/openssl.c
d73b74
@@ -178,6 +178,7 @@ static unsigned long OpenSSL_version_num(void)
d73b74
      !defined(LIBRESSL_VERSION_NUMBER) &&       \
d73b74
      !defined(OPENSSL_IS_BORINGSSL))
d73b74
 #define HAVE_SSL_CTX_SET_CIPHERSUITES
d73b74
+#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
d73b74
 #endif
d73b74
 
d73b74
 #if defined(LIBRESSL_VERSION_NUMBER)
d73b74
@@ -2467,6 +2468,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
d73b74
   }
d73b74
 #endif
d73b74
 
d73b74
+#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
d73b74
+  /* OpenSSL 1.1.1 requires clients to opt-in for PHA */
d73b74
+  SSL_CTX_set_post_handshake_auth(BACKEND->ctx, 1);
d73b74
+#endif
d73b74
+
d73b74
 #ifdef USE_TLS_SRP
d73b74
   if(ssl_authtype == CURL_TLSAUTH_SRP) {
d73b74
     char * const ssl_username = SSL_SET_OPTION(username);
d73b74
-- 
d73b74
2.17.1
d73b74