X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=src%2Fssl%2Fssl_hs_client.t0;h=911fdfcd30740590698e4946d51b324134540fdd;hp=cfe5f782b270616225a261f00d5577437bb9f0c0;hb=8cd3f8fecbb8eee7d4cd71c464694cf1621c5e99;hpb=7f343eedfc0ef1b3eab8ded1d60e2abc82324a5e

diff --git a/src/ssl/ssl_hs_client.t0 b/src/ssl/ssl_hs_client.t0
index cfe5f78..911fdfc 100644
--- a/src/ssl/ssl_hs_client.t0
+++ b/src/ssl/ssl_hs_client.t0
@@ -805,6 +805,13 @@ cc: DEBUG-BLOB ( addr len -- ) {
 			1 addr-reneg set8
 		then
 		close-elt
+	else
+		\ No extension received at all, so the server does not
+		\ support secure renegotiation. This is a hard failure
+		\ if the server was previously known to support it (i.e.
+		\ this is a renegotiation).
+		ext-reneg-length 5 > if ERR_BAD_SECRENEG fail then
+		1 addr-reneg set8
 	then
 	close-elt
 	resume
@@ -1257,6 +1264,12 @@ cc: do-client-sign ( -- sig_len ) {
 						wait-co drop
 					repeat
 					100 send-warning
+					\ We rejected the renegotiation,
+					\ but the connection is not dead.
+					\ We must set back things into
+					\ working "application data" state.
+					1 addr-application_data set8
+					23 addr-record_type_out set8
 				else
 					do-handshake
 				then