From 63a94deb43f93f014de76913fd46d4a35ecdfe4d Mon Sep 17 00:00:00 2001
From: Luke <luke.wilde@live.co.uk>
Date: Sun, 25 Oct 2020 21:09:10 +0000
Subject: [PATCH] LibTLS: Treat a close_notify before agreeing on a cipher
 suite as a handshake failure

Some TLS implementations (namely, AWS CloudFront) do this instead of
sending handshake_failure for some reason.
---
 Libraries/LibTLS/Record.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Libraries/LibTLS/Record.cpp b/Libraries/LibTLS/Record.cpp
index f061c5500a..7350ae09d5 100644
--- a/Libraries/LibTLS/Record.cpp
+++ b/Libraries/LibTLS/Record.cpp
@@ -315,6 +315,12 @@ ssize_t TLSv12::handle_message(const ByteBuffer& buffer)
                 res += 2;
                 alert(AlertLevel::Critical, AlertDescription::CloseNotify);
                 m_context.connection_finished = true;
+                if (!m_context.cipher_spec_set) {
+                    // AWS CloudFront hits this.
+                    dbg() << "Server sent a close notify and we haven't agreed on a cipher suite. Treating it as a handshake failure.";
+                    m_context.critical_error = (u8)AlertDescription::HandshakeFailure;
+                    try_disambiguate_error();
+                }
             }
             m_context.error_code = (Error)code;
         }