LibTLS: Treat a close_notify before agreeing on a cipher suite as a handshake failure

Some TLS implementations (namely, AWS CloudFront) do this instead of sending handshake_failure for some reason.
author: Luke <luke.wilde@live.co.uk> 2020-10-25 21:09:10 +0000
committer: Andreas Kling <kling@serenityos.org> 2020-10-26 08:59:57 +0100
commit: 63a94deb43f93f014de76913fd46d4a35ecdfe4d (patch)
tree: 2191225b046dc5380012f0e25ec512bede885574 /Libraries/LibTLS
parent: 328e481ee97897ea3cc0c915e0a8d5e1b94171bc (diff)
download: serenity-63a94deb43f93f014de76913fd46d4a35ecdfe4d.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/Libraries/LibTLS/Record.cpp b/Libraries/LibTLS/Record.cpp
index f061c5500a..7350ae09d5 100644
--- a/Libraries/LibTLS/Record.cpp
+++ b/Libraries/LibTLS/Record.cpp
@@ -315,6 +315,12 @@ ssize_t TLSv12::handle_message(const ByteBuffer& buffer)
                 res += 2;
                 alert(AlertLevel::Critical, AlertDescription::CloseNotify);
                 m_context.connection_finished = true;
+                if (!m_context.cipher_spec_set) {
+                    // AWS CloudFront hits this.
+                    dbg() << "Server sent a close notify and we haven't agreed on a cipher suite. Treating it as a handshake failure.";
+                    m_context.critical_error = (u8)AlertDescription::HandshakeFailure;
+                    try_disambiguate_error();
+                }
             }
             m_context.error_code = (Error)code;
         }
author	Luke <luke.wilde@live.co.uk>	2020-10-25 21:09:10 +0000
committer	Andreas Kling <kling@serenityos.org>	2020-10-26 08:59:57 +0100
commit	63a94deb43f93f014de76913fd46d4a35ecdfe4d (patch)
tree	2191225b046dc5380012f0e25ec512bede885574 /Libraries/LibTLS
parent	328e481ee97897ea3cc0c915e0a8d5e1b94171bc (diff)
download	serenity-63a94deb43f93f014de76913fd46d4a35ecdfe4d.zip