Don't send unexpected_message if we receive CCS while stateless Probably this is the CCS between the first and second ClientHellos. It should be ignored. Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4435)
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 38b86c9..6bd54ac 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c
@@ -1120,6 +1120,17 @@ SSL_R_BAD_CHANGE_CIPHER_SPEC); return 0; } + if (s->statem.hand_state == TLS_ST_BEFORE + && (s->s3->flags & TLS1_FLAGS_STATELESS) != 0) { + /* + * We are stateless and we received a CCS. Probably this is + * from a client between the first and second ClientHellos. + * We should ignore this, but return an error because we do + * not return success until we see the second ClientHello + * with a valid cookie. + */ + return 0; + } s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; s->init_num = readbytes - 1; s->init_msg = s->init_buf->data;