From b939bc47b27cd57c6ebb852ad653933e4124b452 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 21 Sep 2018 10:37:43 +0200 Subject: [PATCH] OpenSSL: enable TLS 1.3 post-handshake auth OpenSSL 1.1.1 requires clients to opt-in for post-handshake authentication. Fixes: https://github.com/curl/curl/issues/3026 Signed-off-by: Christian Heimes Closes https://github.com/curl/curl/pull/3027 --- lib/vtls/openssl.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 55226e4ba..230eea2d0 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -177,6 +177,7 @@ !defined(LIBRESSL_VERSION_NUMBER) && \ !defined(OPENSSL_IS_BORINGSSL)) #define HAVE_SSL_CTX_SET_CIPHERSUITES +#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH #endif #if defined(LIBRESSL_VERSION_NUMBER) @@ -2467,6 +2468,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) } #endif +#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH + /* OpenSSL 1.1.1 requires clients to opt-in for PHA */ + SSL_CTX_set_post_handshake_auth(BACKEND->ctx, 1); +#endif + #ifdef USE_TLS_SRP if(ssl_authtype == CURL_TLSAUTH_SRP) { char * const ssl_username = SSL_SET_OPTION(username);