QUIC: Prohibit post-handshake auth

author Hugo Landau <hlandau@openssl.org>

Mon, 16 Jan 2023 15:21:57 +0000 (15:21 +0000)

committer Pauli <pauli@openssl.org>

Tue, 4 Jul 2023 23:02:26 +0000 (09:02 +1000)
author Hugo Landau <hlandau@openssl.org>
Mon, 16 Jan 2023 15:21:57 +0000 (15:21 +0000)
committer Pauli <pauli@openssl.org>
Tue, 4 Jul 2023 23:02:26 +0000 (09:02 +1000)
diff --git a/doc/man3/SSL_CTX_set_verify.pod b/doc/man3/SSL_CTX_set_verify.pod

index 9d4abac30eba5385a05769e78b728e0edf621889..3af040385430ff5dd18423b51b1a5d41987b8f78 100644 (file)
--- a/doc/man3/SSL_CTX_set_verify.pod
+++ b/doc/man3/SSL_CTX_set_verify.pod
@@ -215,6 +215,8 @@ Only one certificate request may be outstanding at any time.
  When post-handshake authentication occurs, a refreshed NewSessionTicket
  message is sent to the client.
  
+Post-handshake authentication cannot be used with QUIC.
+
  =head1 BUGS
  
  In client mode, it is not checked whether the SSL_VERIFY_PEER flag
diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c

index 68f3c21cd50cab9c52bfc16dd09781591e1b04e1..3374045c37ef64103de8060a6d20779d7412d3f3 100644 (file)
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -331,7 +331,8 @@ SSL *ossl_quic_new(SSL_CTX *ctx)
      sc->s3.flags |= TLS1_FLAGS_QUIC;
  
      /* Restrict options derived from the SSL_CTX. */
-    sc->options &= OSSL_QUIC_PERMITTED_OPTIONS;
+    sc->options     &= OSSL_QUIC_PERMITTED_OPTIONS;
+    sc->pha_enabled  = 0;
  
  #if defined(OPENSSL_THREADS)
      if ((qc->mutex = ossl_crypto_mutex_new()) == NULL)
author	Hugo Landau <hlandau@openssl.org>
	Mon, 16 Jan 2023 15:21:57 +0000 (15:21 +0000)
committer	Pauli <pauli@openssl.org>
	Tue, 4 Jul 2023 23:02:26 +0000 (09:02 +1000)
doc/man3/SSL_CTX_set_verify.pod		patch \| blob \| history
ssl/quic/quic_impl.c		patch \| blob \| history