From: Christian Heimes <christian@python.org>
Date: Fri, 21 Sep 2018 08:37:43 +0000 (+0200)
Subject: OpenSSL: enable TLS 1.3 post-handshake auth
X-Git-Tag: curl-7_62_0~141
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b939bc47b27cd57c6ebb852ad653933e4124b452;p=curl

OpenSSL: enable TLS 1.3 post-handshake auth

OpenSSL 1.1.1 requires clients to opt-in for post-handshake
authentication.

Fixes: https://github.com/curl/curl/issues/3026
Signed-off-by: Christian Heimes <christian@python.org>

Closes https://github.com/curl/curl/pull/3027
---

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 55226e4ba..230eea2d0 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -177,6 +177,7 @@
      !defined(LIBRESSL_VERSION_NUMBER) &&       \
      !defined(OPENSSL_IS_BORINGSSL))
 #define HAVE_SSL_CTX_SET_CIPHERSUITES
+#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
 #endif
 
 #if defined(LIBRESSL_VERSION_NUMBER)
@@ -2467,6 +2468,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
   }
 #endif
 
+#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
+  /* OpenSSL 1.1.1 requires clients to opt-in for PHA */
+  SSL_CTX_set_post_handshake_auth(BACKEND->ctx, 1);
+#endif
+
 #ifdef USE_TLS_SRP
   if(ssl_authtype == CURL_TLSAUTH_SRP) {
     char * const ssl_username = SSL_SET_OPTION(username);