Merge branch 'dotsimon/cancel-alert/OTP-19592' into maint-27

Erlang/OTP · Erlang/OTP · commit 35fc3825e01b · 2025-04-16T14:32:22.000+02:00
* dotsimon/cancel-alert/OTP-19592:
  Reduce log level of user_canceled alert
  Handle closure alerts in pre-connected states
diff --git a/lib/ssl/src/ssl_gen_statem.erl b/lib/ssl/src/ssl_gen_statem.erl
@@ -1917,6 +1917,12 @@ log_alert(Level, Role, ProtocolName, StateName, #alert{role = Role} = Alert) ->
                                     statename => StateName,
                                     alert => Alert,
                                     alerter => own}, Alert#alert.where);
+log_alert(Level, Role, ProtocolName, StateName, #alert{description = ?USER_CANCELED} = Alert) ->
+    ssl_logger:log(info, Level, #{protocol => ProtocolName,
+                                  role => Role,
+                                  statename => StateName,
+                                  alert => Alert,
+                                  alerter => peer}, Alert#alert.where);
 log_alert(Level, Role, ProtocolName, StateName,  Alert) ->
     ssl_logger:log(notice, Level, #{protocol => ProtocolName,
                                     role => Role,
diff --git a/lib/ssl/src/tls_record_1_3.erl b/lib/ssl/src/tls_record_1_3.erl
@@ -157,15 +157,17 @@ decode_cipher_text(#ssl_tls{type = ?ALERT,
     {#ssl_tls{type = ?ALERT,
               version = ?TLS_1_3, %% Internally use real version
               fragment = <<?FATAL,?ILLEGAL_PARAMETER>>}, ConnectionStates0};
-%% TLS 1.3 server can receive a User Cancelled Alert when handshake is
-%% paused and then cancelled on the client side.
+%% TLS 1.3 server can receive Closure Alerts before the handshake is completed
 decode_cipher_text(#ssl_tls{type = ?ALERT,
                             version = ?LEGACY_VERSION,
-                            fragment = <<?FATAL,?USER_CANCELED>>},
-		   ConnectionStates0) ->
+                            fragment = <<_Level,ClosureAlert>>},
+                   #{current_read :=
+                         #{security_parameters :=
+                               #security_parameters{application_traffic_secret = undefined}}} = ConnectionStates0)
+  when (ClosureAlert == ?USER_CANCELED orelse ClosureAlert == ?CLOSE_NOTIFY) ->
     {#ssl_tls{type = ?ALERT,
               version = ?TLS_1_3, %% Internally use real version
-              fragment = <<?FATAL,?USER_CANCELED>>}, ConnectionStates0};
+              fragment = <<?FATAL,ClosureAlert>>}, ConnectionStates0};
 %% RFC8446 - TLS 1.3
 %% D.4.  Middlebox Compatibility Mode
 %%    -  If not offering early data, the client sends a dummy
