From bb8ad3da3fb4ab3f6556daa1f67b259c12a3c7de Mon Sep 17 00:00:00 2001

From: Christian Heimes <christian@python.org>

Date: Fri, 21 Sep 2018 10:37:43 +0200

Subject: [PATCH] OpenSSL: enable TLS 1.3 post-handshake auth

OpenSSL 1.1.1 requires clients to opt-in for post-handshake

authentication.

Fixes: https://github.com/curl/curl/issues/3026

Signed-off-by: Christian Heimes <christian@python.org>

Closes https://github.com/curl/curl/pull/3027

Upstream-commit: b939bc47b27cd57c6ebb852ad653933e4124b452

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 lib/vtls/openssl.c | 6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c

index a487f55..78970d1 100644

--- a/lib/vtls/openssl.c

+++ b/lib/vtls/openssl.c

@@ -178,6 +178,7 @@ static unsigned long OpenSSL_version_num(void)

      !defined(LIBRESSL_VERSION_NUMBER) &&       \

      !defined(OPENSSL_IS_BORINGSSL))

 #define HAVE_SSL_CTX_SET_CIPHERSUITES

+#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH

 #endif

 #if defined(LIBRESSL_VERSION_NUMBER)

@@ -2467,6 +2468,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)

   }

 #endif

+#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH

+  /* OpenSSL 1.1.1 requires clients to opt-in for PHA */

+  SSL_CTX_set_post_handshake_auth(BACKEND->ctx, 1);

+#endif

+

 #ifdef USE_TLS_SRP

   if(ssl_authtype == CURL_TLSAUTH_SRP) {

     char * const ssl_username = SSL_SET_OPTION(username);

-- 

2.17.1