diff -Nru erlang-p1-tls-1.0.20/debian/changelog erlang-p1-tls-1.0.20/debian/changelog --- erlang-p1-tls-1.0.20/debian/changelog 2018-02-05 23:21:22.000000000 +0000 +++ erlang-p1-tls-1.0.20/debian/changelog 2019-08-21 11:10:53.000000000 +0000 @@ -1,3 +1,21 @@ +erlang-p1-tls (1.0.20-1ubuntu0.2) bionic-security; urgency=medium + + * No-change rebuild in the -security pocket to pick up OpenSSL 1.1.1. + (LP: #1832933) + + -- Marc Deslauriers Wed, 21 Aug 2019 07:10:53 -0400 + +erlang-p1-tls (1.0.20-1ubuntu0.1) bionic; urgency=medium + + * Cherrypick upstream patches for openssl1.1 support: + - fix client cert authentication + - update test certificates + - add support for 'no_tlsv1_3' option + - testsuite fixes + - do not attempt unsupported renegotiation LP: #1832933 + + -- Dimitri John Ledkov Sun, 16 Jun 2019 01:48:12 +0100 + erlang-p1-tls (1.0.20-1build1) bionic; urgency=high * No change rebuild against openssl1.1. diff -Nru erlang-p1-tls-1.0.20/debian/patches/0002-Specify-accepted-Client-CAs-during-handshake.patch erlang-p1-tls-1.0.20/debian/patches/0002-Specify-accepted-Client-CAs-during-handshake.patch --- erlang-p1-tls-1.0.20/debian/patches/0002-Specify-accepted-Client-CAs-during-handshake.patch 1970-01-01 00:00:00.000000000 +0000 +++ erlang-p1-tls-1.0.20/debian/patches/0002-Specify-accepted-Client-CAs-during-handshake.patch 2019-06-16 00:40:22.000000000 +0000 @@ -0,0 +1,93 @@ +From 611b6d74ab84686b8a22fd27c6b96383cc211324 Mon Sep 17 00:00:00 2001 +From: Stu Tomlinson +Date: Fri, 2 Mar 2018 14:35:17 +0000 +Subject: [PATCH 02/33] Specify accepted Client CAs during handshake + +Specify which CAs will be accepted as issuers of Client Certificates +during SSL handshake by passing ca_file to OpenSSL API SSL_CTX_set_client_CA_list. + +This is necessary for correct SSL negotiation of Client Certificate +where client is expected to only send Client Certificate during +handshake if it has one issued by an accepted CA. +--- + c_src/fast_tls.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/c_src/fast_tls.c b/c_src/fast_tls.c +index 543ebef..bfda98e 100644 +--- a/c_src/fast_tls.c ++++ b/c_src/fast_tls.c +@@ -52,6 +52,7 @@ typedef struct { + char *ca_file; + long options; + char *sni_error; ++ long command; + } state_t; + + static int ssl_index; +@@ -489,7 +490,9 @@ static ERL_NIF_TERM ssl_error(ErlNifEnv *env, const char *errstr) { + + static SSL_CTX *create_new_ctx(char *cert_file, char *ciphers, + char *dh_file, char *ca_file, ++ unsigned int command, + char **err_str) { ++ long verifyopts; + int res = 0; + + SSL_CTX *ctx = SSL_CTX_new(SSLv23_method()); +@@ -518,7 +521,15 @@ static SSL_CTX *create_new_ctx(char *cert_file, char *ciphers, + } + } + +- SSL_CTX_set_tlsext_servername_callback(ctx, &ssl_sni_callback); ++ if (command == SET_CERTIFICATE_FILE_ACCEPT) { ++ SSL_CTX_set_tlsext_servername_callback(ctx, &ssl_sni_callback); ++ verifyopts = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; ++ if (ca_file) { ++ SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(ca_file)); ++ } ++ } else { ++ verifyopts = SSL_VERIFY_PEER; ++ } + + if (ciphers[0] == 0) + SSL_CTX_set_cipher_list(ctx, CIPHERS); +@@ -546,9 +557,7 @@ static SSL_CTX *create_new_ctx(char *cert_file, char *ciphers, + #ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); + #endif +- SSL_CTX_set_verify(ctx, +- SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, +- verify_callback); ++ SSL_CTX_set_verify(ctx, verifyopts, verify_callback); + + SSL_CTX_set_info_callback(ctx, &ssl_info_callback); + +@@ -568,6 +577,7 @@ static char *create_ssl_for_cert(char *cert_file, state_t *state) { + char *dh_file = state->dh_file; + char *ca_file = state->ca_file; + long options = state->options; ++ unsigned int command = state->command; + + char *ret = NULL; + cert_info_t *info = NULL; +@@ -599,7 +609,7 @@ static char *create_ssl_for_cert(char *cert_file, state_t *state) { + enif_rwlock_runlock(certs_map_lock); + + enif_rwlock_rwlock(certs_map_lock); +- SSL_CTX *ctx = create_new_ctx(cert_file, ciphers, dh_file, ca_file, &ret); ++ SSL_CTX *ctx = create_new_ctx(cert_file, ciphers, dh_file, ca_file, command, &ret); + if (ret == NULL) { + new_info = enif_alloc(sizeof(cert_info_t)); + if (new_info) { +@@ -709,6 +719,7 @@ static ERL_NIF_TERM open_nif(ErlNifEnv *env, int argc, + state->ca_file = state->dh_file + dhfile_bin.size + 1; + sni = state->ca_file + cafile_bin.size + 1; + state->options = options; ++ state->command = command; + + memcpy(state->cert_file, certfile_bin.data, certfile_bin.size); + state->cert_file[certfile_bin.size] = 0; +-- +2.20.1 + diff -Nru erlang-p1-tls-1.0.20/debian/patches/0013-Update-cert-used-by-test-to-use-sha256-signature.patch erlang-p1-tls-1.0.20/debian/patches/0013-Update-cert-used-by-test-to-use-sha256-signature.patch --- erlang-p1-tls-1.0.20/debian/patches/0013-Update-cert-used-by-test-to-use-sha256-signature.patch 1970-01-01 00:00:00.000000000 +0000 +++ erlang-p1-tls-1.0.20/debian/patches/0013-Update-cert-used-by-test-to-use-sha256-signature.patch 2019-06-16 00:40:31.000000000 +0000 @@ -0,0 +1,115 @@ +From 194ea02a58405aba3f8f6fca5daca2294325bcaa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pawe=C5=82=20Chmielowski?= +Date: Fri, 24 Aug 2018 12:34:25 +0200 +Subject: [PATCH 13/33] Update cert used by test to use sha256 signature + +Previous version is no longer accepted by openssl1.1 +--- + tests/cert.pem | 86 +++++++++++++++++++++++++------------------------- + 1 file changed, 43 insertions(+), 43 deletions(-) + +diff --git a/tests/cert.pem b/tests/cert.pem +index 656369c..7e110f0 100644 +--- a/tests/cert.pem ++++ b/tests/cert.pem +@@ -1,54 +1,54 @@ + -----BEGIN CERTIFICATE----- +-MIIEjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTET +-MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ +-dHkgTHRkMB4XDTE3MDMwNzA5NTgxNloXDTQ0MDcyMzA5NTgxNlowWTELMAkGA1UE ++MIIEjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJBVTET ++MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ ++dHkgTHRkMB4XDTE4MDgyNDA5MzA1NloXDTQ2MDEwOTA5MzA1NlowWTELMAkGA1UE + BhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp + ZGdpdHMgUHR5IEx0ZDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0B +-AQEFAAOCAQ8AMIIBCgKCAQEAnzzyImmDW0BdGoqsBJkIfcp0YjkMN6HDuRxTHvkv +-lXU1q9u1VOsoC84Uf+x2VC+UauT44lyqQPH2WorztEqB5y0N0BLISf1ZNcS/s6iB +-OaL6nAmA+A6Lm73Gt+HZP8yFWCerPWchHppOebei+edcxhRdjOJYU4wudvxr/tGg +-qsqeY6beV1T4gx8w5E/qRZ9r/ZCNQUjOS1Dj1KLigWVhVviF2Ynli2GG46cLwRPb +-MgK3i4Uu57E0YlnZYKp9uWLn673yxwoOr7uVyvuVGx70SmvTIC3Logei6D76OCsw +-uWCD8iKd6jpg84sHCtlFxVbeMAXBSVTRXJVRJYb+hB7Q1QIDAQABo4IBcjCCAW4w ++AQEFAAOCAQ8AMIIBCgKCAQEAwLATNFRSFKTfWd0HHoX4uw9lWw5uuq/bAIx9yYKY ++TaOr/tQKgzS2EXSnvMngrywJlP1HUzLrp3WNR0CiPIQ0YfeAP3xiSrotEWObRb/0 ++YwOZhCbOi0WpWPgZh3ct/XaEHhbnKYtblya1wVrCN/yur3ck+ru4Mka2lfxouKF9 ++y8kZn2qF0CEbR/bbJiOy0Cr+q+LCIOiD+iwKHhju6ks+OqmFwXhglE62b7yKZtcu ++SddnsimF6n0VXkS2Vm5Kg901Sed7QPtVR6EtIBh7WiwU6iLoOofFjOg3B7v3K8hX ++66Scj5V/mz++m2W9BTqkoYRmszPHXnFeF8ZhAzc2ncUWrQIDAQABo4IBcjCCAW4w + CQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy +-dGlmaWNhdGUwHQYDVR0OBBYEFD4Lfl3x6oeBw/MfBdOCmyyFV2NKMB8GA1UdIwQY +-MBaAFND2ZsvHIjITekPKs0ywLfoNEen5MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6 ++dGlmaWNhdGUwHQYDVR0OBBYEFEM665UV1uNuXuoj2Lq4YvUig8fMMB8GA1UdIwQY ++MBaAFIUaybHx/YmS/2ezwl7DkezTHoBBMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6 + Ly9sb2NhbGhvc3Q6NTI4MC9kYXRhL2NybC5kZXIwNgYIKwYBBQUHAQEEKjAoMCYG + CCsGAQUFBzABhhpodHRwOi8vbG9jYWxob3N0OjUyODAvb2NzcDALBgNVHQ8EBAMC + BeAwJwYDVR0lBCAwHgYIKwYBBQUHAwkGCCsGAQUFBwMBBggrBgEFBQcDAjBQBgNV + HREESTBHggsqLmxvY2FsaG9zdKA4BggrBgEFBQcIBaAsDCp0ZXN0X3NpbmdsZSEj +-JCVeKigpYH4rLTtfPVtde318XEBsb2NhbGhvc3QwDQYJKoZIhvcNAQEFBQADggEB +-AG4YXWyrGYBZqupfeAJ81IBz6gFFZ5GIDYdM+x6ewR/o+ALUxGpZRgnSHei1Fh4M +-wwrGLRIwqpeTtfs6BM0ld7tb0sJeO/B3QxzduKGPnmVni0S/s09m/4tehS4EnRd6 +-OxRvdCQFxMT5t0bWpUyY063xytju4vHYBMdpAkqyRuqb7of0qY1zfAWk4TKPi1pr +-O/vCes/asXEumn4MLZPGaoIiHNMacjehimp0g5y8FmnldchuZO94NZ/SYoAo1MXC +-0SyW6WEuIelnNXpzib8EesDgGP5zsUSvlb3EbEnEXAnQlbHfkZJhUHojlFVX+ALc +-6WYvzGhKeh6QoJ64pUCnRlY= ++JCVeKigpYH4rLTtfPVtde318XEBsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEB ++AGYMvXw1GZak2blxC2gr7p68MTjrPYAs26yKDuLR0Wpg1wMgnAelsMPrjjuSxWQX ++MlVFW1FD7OPIsgxgCZaOJiITEK6TgPa+XsSZa4H2o9fpIUd9Dy18sxJIjEpQMYa3 ++L5Uq5tMTlxK9tovH3wNbdnW24MZ0nlWP/uzspbXqk7F/C6AbLX6tHLfJhcpyg94Z ++UY/pZG9IP6MME784eEubP5I0mxSM2JN5JiPKsk14/a4veUBJXq+vcMVCfuxNCWVA ++RRk9MJ9U31W3D6G8Y7Es53I2mmEHoN1mFHKmW3El3gtXJ7aUenQP0ayGTXlnFuGd ++fPrgVCvv3ykkKd6cizhB1O8= + -----END CERTIFICATE----- + -----BEGIN RSA PRIVATE KEY----- +-MIIEowIBAAKCAQEAnzzyImmDW0BdGoqsBJkIfcp0YjkMN6HDuRxTHvkvlXU1q9u1 +-VOsoC84Uf+x2VC+UauT44lyqQPH2WorztEqB5y0N0BLISf1ZNcS/s6iBOaL6nAmA +-+A6Lm73Gt+HZP8yFWCerPWchHppOebei+edcxhRdjOJYU4wudvxr/tGgqsqeY6be +-V1T4gx8w5E/qRZ9r/ZCNQUjOS1Dj1KLigWVhVviF2Ynli2GG46cLwRPbMgK3i4Uu +-57E0YlnZYKp9uWLn673yxwoOr7uVyvuVGx70SmvTIC3Logei6D76OCswuWCD8iKd +-6jpg84sHCtlFxVbeMAXBSVTRXJVRJYb+hB7Q1QIDAQABAoIBACdBQv+wuy0XpNwS +-K23GvA0mh6JfJd/hBPrxPJx6GXzitCR1uTIB9pFScENI67K9N/1SDPjglygDfhO8 +-BXAAnh17Qdh1iOKUjhVvN0L220R2JQmqXhzImSn/kqlqB8BujsC4psIwVj3RFF91 +-IbwxiPFbu+QrOFMAT8QNXiInU1BG1zM8O/9dXaDG1zSuLGH8hz8Xp6QYkZKWXErp +-MGg4smvzk+HhMvf678Uzg/a6z6JJoVc1oaaaNhQzurCJmPJLCjVsR7O9y0/OwPI5 +-PN+8Of06AdynWrx8LBdWFckTr8lvT/0FMYRIbubFG/ksLet+GHab/R0U49Ae0SMf +-vQzsy9ECgYEA0+eF3sfTtLjXFCKtiTHsFfaNqX3mIwtd+d4gOSzhRxj0JAr2/AWA +-c1vrk9wLanoi/awe7qQfJIZGQHbrmzk17IFJqzKEokmJqId07mVgCy9rRy/v2Tuy +-vSXkSNHEqCQVdMQLVVZ78eUkonokrPrb8NvuV6La8p1+wqeHPuqnfnsCgYEAwF/O +-XDs/pg/N6XzoBOq9xkhwXtrllvsd99LNhsO75nLo0EI6m4tc/fpm1bpVOMxDThwi +-vEyCdYyxkBlHEbjW5r73ZjF+qBRmRLcp380+N71S1Ljj5AO5+5IFzoFw+lYNXbSB +-aH+OuFanwnYVJF0E6RIahdadWZCWYNONBjJQdO8CgYAcuM3xY15zqXYlmYmyBd09 +-IN0Usyblax4CxzPQ7B9g1qYI2J+fi1Ncz4G/2dyGQyXJAnJy4DYEalrNVBEdSgTg +-GKoWlVNa9+K7wBh+U6lP+s5sqLe21xuj/aXSpPQl4jYyTHxIxd8o62kqyKl99Mao +-//ZvVHie1/AdjD2NrpqjTwKBgQC9CKfQC8x0ks0lJb8crcqDoEUDgJfgr6v4DSY2 +-yfnG7p2Fn77Vf7GGRNtuI6aApH9yrsUXQRtlBTaqQZyLdpV9sqOKwRITedAwr8ev +-CpCb1ycgrvoI4fyMjyWzkZCB/bMupCQRml6VF1nMBZqq29jqaga0A3slOqX6SYcn +-UqOq8wKBgF4gw/71uU40yQM4hKjKFT1iCWIfMEWTUxhZkGyntCzqTUsEBH7o+1C9 +-BOzGeUn38MmZlQvsZj1BmnkyovX79i5b5o0OBUfGBBP+GfupYfUOyvYz9g7LV6Ry +-pVHDD0k2iW1L5rcLtHECTZKKwXn9CyZISulXEuzMu0P0QhlN2TH5 ++MIIEowIBAAKCAQEAwLATNFRSFKTfWd0HHoX4uw9lWw5uuq/bAIx9yYKYTaOr/tQK ++gzS2EXSnvMngrywJlP1HUzLrp3WNR0CiPIQ0YfeAP3xiSrotEWObRb/0YwOZhCbO ++i0WpWPgZh3ct/XaEHhbnKYtblya1wVrCN/yur3ck+ru4Mka2lfxouKF9y8kZn2qF ++0CEbR/bbJiOy0Cr+q+LCIOiD+iwKHhju6ks+OqmFwXhglE62b7yKZtcuSddnsimF ++6n0VXkS2Vm5Kg901Sed7QPtVR6EtIBh7WiwU6iLoOofFjOg3B7v3K8hX66Scj5V/ ++mz++m2W9BTqkoYRmszPHXnFeF8ZhAzc2ncUWrQIDAQABAoIBAD0Ly5nJmROXRHe4 ++8dd2xF2nPApEIUqeCjk7SWK9MDlwwD4Euavl2EThe37xSnDU99gvAhjWyhgMwwyu ++6ndXvyzGd+glJRLdtweKUhgf/3IbItjeXpN7J3Lbb2MenABwOt05jlT4JLVXez/d ++3ChWspU+nwWc0XeENbaA+EB+UVdtOfJhRk5l/LPENHBwEjMgRsbPO+upa4v/YEbj ++GwDaaC1HsI8jqGxSu2IRFqEeEOniPjnAi6SYfl41ZBj+cUrYA3xT94Ksk403iwax ++Ln7FJC2oNo/Okunf6V9ucgzLAYIA/LW/BJ6+dcAzH6OGYuvI6a229W2pEbL7gwiw ++7pouoyECgYEA/T3RIktzeCvVz4g2cy8IkzxBt95tpcJd5weMfyn2qYiQVxPZa9dW ++VE7hKKQAOphSj+38Rg/W1tMefPzk8PcnxdI7hi1RF7xk1rIH6SwLE2rywz7Oh0UG ++5OuL5AOu0rnIXKBWO/o7mPq8ix1eOGRumT29rfKKecIUGwxPagdrJnkCgYEAwslm ++SUwU6KoRoXzm13Q5XcYVkhiwzr05nGuxN5chzpyfLsRBZFJOBCRgnprx2tNANvzx ++9raIw76BUueBZ+9OEnX9QshUdd4/+Mu+Htl3Q7jDOMv4I+CleD3M83dwrLkyUGXc ++iU5+N2xlrg6Zs6MqB59M2t2cppys6OK45+7ZtNUCgYEA7toAR91sUnrd1jk+ShOh ++feWGgprrRj11/fKzxDjbKnng0hCpsDpRdYFUgtV0Vc/Xh2NK3vYPh11m0zJf6Rrk ++S4QHmn1hkAakAY+3QGjHJZBo2liByToEz6OOtQf4O075OMwNqdJRpe9QJ9ISTRQE ++8Mo3/jnV/BNejUhmGrZWjNkCgYAGWHdLlf3sYnX2k9IVXMTtqCFVxBYmdgWlceCx ++FexVBcctx9j1grTl76VyJUwRu+YQpIbhaark7ZTa9Y3CrAoYEd3xSgNuX5In8cM8 ++0ArRmvhJJmPsD0p0s1a068Qw7EuWUOsxUexMs+xQEkuxjXQ2EVt4mdWbm+kKITCy ++5ZYUDQKBgHlWfvgXk3G2l8Pa07KW8Eo4Rvsp//L5aKG73kEQfmbD7ArJUX39T98n ++06wuN0yQsMkkgReQ/0q1jebZ1q27GrkIpWLIbL5qpUE9R+2PenHcbcVotvwc0cCk ++rSi8bYoVxJvtLPs08GahDEKgyBE2VL5Zu2kn70ij14uw3Gy4ug+O + -----END RSA PRIVATE KEY----- +-- +2.20.1 + diff -Nru erlang-p1-tls-1.0.20/debian/patches/0014-Add-no_tlsv1_3-option-parsing-from-openssl1.1.patch erlang-p1-tls-1.0.20/debian/patches/0014-Add-no_tlsv1_3-option-parsing-from-openssl1.1.patch --- erlang-p1-tls-1.0.20/debian/patches/0014-Add-no_tlsv1_3-option-parsing-from-openssl1.1.patch 1970-01-01 00:00:00.000000000 +0000 +++ erlang-p1-tls-1.0.20/debian/patches/0014-Add-no_tlsv1_3-option-parsing-from-openssl1.1.patch 2019-06-16 00:40:39.000000000 +0000 @@ -0,0 +1,26 @@ +From a4eeddcfc4d9e96448d0750773d7034f19c82623 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pawe=C5=82=20Chmielowski?= +Date: Fri, 24 Aug 2018 12:38:46 +0200 +Subject: [PATCH 14/33] Add no_tlsv1_3 option parsing from openssl1.1 + +--- + c_src/options.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/c_src/options.h b/c_src/options.h +index 64a8e77..ba5ee13 100644 +--- a/c_src/options.h ++++ b/c_src/options.h +@@ -102,6 +102,9 @@ static ssl_option_t ssl_options[] = { + #if defined(SSL_OP_NO_TLSv1_2) + {"no_tlsv1_2", SSL_OP_NO_TLSv1_2}, + #endif ++#if defined(SSL_OP_NO_TLSv1_3) ++ {"no_tlsv1_3", SSL_OP_NO_TLSv1_3}, ++#endif + #if defined(SSL_OP_PKCS1_CHECK_1) + {"pkcs1_check_1", SSL_OP_PKCS1_CHECK_1}, + #endif +-- +2.20.1 + diff -Nru erlang-p1-tls-1.0.20/debian/patches/0016-Improve-tests-to-make-them-work-with-openssl1.1.patch erlang-p1-tls-1.0.20/debian/patches/0016-Improve-tests-to-make-them-work-with-openssl1.1.patch --- erlang-p1-tls-1.0.20/debian/patches/0016-Improve-tests-to-make-them-work-with-openssl1.1.patch 1970-01-01 00:00:00.000000000 +0000 +++ erlang-p1-tls-1.0.20/debian/patches/0016-Improve-tests-to-make-them-work-with-openssl1.1.patch 2019-06-16 00:40:47.000000000 +0000 @@ -0,0 +1,73 @@ +From d8c5a714d15b7ab2615e548d214d3eb7670c718b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pawe=C5=82=20Chmielowski?= +Date: Fri, 24 Aug 2018 12:42:26 +0200 +Subject: [PATCH 16/33] Improve tests to make them work with openssl1.1 + +--- + src/fast_tls.erl | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/src/fast_tls.erl b/src/fast_tls.erl +index 3ca0cbf..b4addae 100644 +--- a/src/fast_tls.erl ++++ b/src/fast_tls.erl +@@ -508,12 +508,12 @@ transmission_test() -> + LPid ! {stop, self()}, + receive + {received, Msg} -> +- ?assertEqual(Msg, <<"abcdefghi">>) ++ ?assertEqual(<<"abcdefghi">>, Msg) + end. + + not_compatible_protocol_options_test() -> +- {LPid, Port} = setup_listener([{protocol_options, <<"no_sslv2|no_sslv3|no_tlsv1_1|no_tlsv1_2">>}]), +- SPid = setup_sender(Port, [{protocol_options, <<"no_sslv2|no_sslv3|no_tlsv1|no_tlsv1_2">>}]), ++ {LPid, Port} = setup_listener([{protocol_options, <<"no_sslv2|no_sslv3|no_tlsv1_1|no_tlsv1_2|no_tlsv1_3">>}]), ++ SPid = setup_sender(Port, [{protocol_options, <<"no_sslv2|no_sslv3|no_tlsv1|no_tlsv1_2|no_tlsv1_3">>}]), + SPid ! {stop, self()}, + receive + {result, Res} -> +@@ -521,8 +521,10 @@ not_compatible_protocol_options_test() -> + end, + LPid ! {stop, self()}, + receive ++ {received, {error, _, _} = Msg} -> ++ ?assertMatch({error, _, <<>>}, Msg); + {received, Msg} -> +- ?assertEqual(Msg, <<>>) ++ ?assertMatch(<<>>, Msg) + end. + + setup_listener(Opts) -> +@@ -546,11 +548,16 @@ listener_loop(TLSSock, Msg) -> + after 0 -> + listener_loop(TLSSock, Msg) + end; +- {error, _} -> ++ {error, closed} -> + receive + {stop, Pid} -> + Pid ! {received, Msg} + end; ++ {error, Err} -> ++ receive ++ {stop, Pid} -> ++ Pid ! {received, {error, Err, Msg}} ++ end; + {ok, Data} -> + listener_loop(TLSSock, <>) + end. +@@ -576,7 +583,9 @@ sender_loop(TLSSock) -> + close(TLSSock), + ok + catch +- _:Err -> Err ++ _:Err -> ++ close(TLSSock), ++ Err + end, + receive + {stop, Pid} -> +-- +2.20.1 + diff -Nru erlang-p1-tls-1.0.20/debian/patches/0022-Use-SSL_OP_NO_RENEGOTIATION-when-available.patch erlang-p1-tls-1.0.20/debian/patches/0022-Use-SSL_OP_NO_RENEGOTIATION-when-available.patch --- erlang-p1-tls-1.0.20/debian/patches/0022-Use-SSL_OP_NO_RENEGOTIATION-when-available.patch 1970-01-01 00:00:00.000000000 +0000 +++ erlang-p1-tls-1.0.20/debian/patches/0022-Use-SSL_OP_NO_RENEGOTIATION-when-available.patch 2019-06-16 00:42:08.000000000 +0000 @@ -0,0 +1,52 @@ +From 9b25543cf1200e3b216996598771962461ea51c8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pawe=C5=82=20Chmielowski?= +Date: Mon, 1 Oct 2018 18:25:36 +0200 +Subject: [PATCH 22/33] Use SSL_OP_NO_RENEGOTIATION when available + +Our own method for detecting client renegotiations causes problems in +openssl1.1.1 and TLS1.3, so let's make openssl care about handling this. +--- + c_src/fast_tls.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +Index: erlang-p1-tls-1.0.20/c_src/fast_tls.c +=================================================================== +--- erlang-p1-tls-1.0.20.orig/c_src/fast_tls.c ++++ erlang-p1-tls-1.0.20/c_src/fast_tls.c +@@ -390,6 +390,7 @@ static int setup_dh(SSL_CTX *ctx, char * + + #endif + ++#ifndef SSL_OP_NO_RENEGOTIATION + static void ssl_info_callback(const SSL *s, int where, int ret) { + state_t *d = (state_t *) SSL_get_ex_data(s, ssl_index); + if ((where & SSL_CB_HANDSHAKE_START) && d->handshakes) { +@@ -398,6 +399,7 @@ static void ssl_info_callback(const SSL + d->handshakes++; + } + } ++#endif + + static char *create_ssl_for_cert(char *, state_t *); + +@@ -559,7 +561,9 @@ static SSL_CTX *create_new_ctx(char *cer + #endif + SSL_CTX_set_verify(ctx, verifyopts, verify_callback); + ++#ifndef SSL_OP_NO_RENEGOTIATION + SSL_CTX_set_info_callback(ctx, &ssl_info_callback); ++#endif + + *err_str = NULL; + return ctx; +@@ -779,6 +783,10 @@ static ERL_NIF_TERM open_nif(ErlNifEnv * + SSL_set_connect_state(state->ssl); + } + ++#ifdef SSL_OP_NO_RENEGOTIATION ++ SSL_set_options(state->ssl, SSL_OP_NO_RENEGOTIATION); ++#endif ++ + ERL_NIF_TERM result = enif_make_resource(env, state); + enif_release_resource(state); + return OK_T(result); diff -Nru erlang-p1-tls-1.0.20/debian/patches/series erlang-p1-tls-1.0.20/debian/patches/series --- erlang-p1-tls-1.0.20/debian/patches/series 2018-01-03 19:41:50.000000000 +0000 +++ erlang-p1-tls-1.0.20/debian/patches/series 2019-06-16 00:40:56.000000000 +0000 @@ -1 +1,6 @@ remove-deps.diff +0002-Specify-accepted-Client-CAs-during-handshake.patch +0013-Update-cert-used-by-test-to-use-sha256-signature.patch +0014-Add-no_tlsv1_3-option-parsing-from-openssl1.1.patch +0016-Improve-tests-to-make-them-work-with-openssl1.1.patch +0022-Use-SSL_OP_NO_RENEGOTIATION-when-available.patch