From 713127de4cb13ce33f8ada07cece2ef5f482ec02 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 1 Oct 2024 12:44:33 +0200 Subject: [PATCH] dtls_server: allow unexpected messages during handshake If MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE happens during the handshake, don't show it as an "error". It might be an error, but it might also be a fact of life if it happens during the second or more handshake: it can be a duplicated packet or a close_notify alert from the previous connection, which is hard to avoid and harmless. Fixes #9652. Signed-off-by: Gilles Peskine --- programs/ssl/dtls_server.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 20e53d3b79..6430ed2a2f 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -289,7 +289,14 @@ reset: ret = 0; goto reset; } else if (ret != 0) { - printf(" failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", (unsigned int) -ret); + printf(" failed\n ! mbedtls_ssl_handshake returned -0x%x\n", (unsigned int) -ret); + if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) { + printf(" An unexpected message was received from our peer. If this happened at\n"); + printf(" the beginning of the handshake, this is likely a duplicated packet or\n"); + printf(" a close_notify alert from the previous connection, which is harmless.\n"); + ret = 0; + } + printf("\n"); goto reset; }