tls13 client may send redundant change cipher spec(ccs) messages.

Summary

The tls13 client may send two change cipher spec(ccs) messages when MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE is on. One is right after client hello and another is before server finish. The first one seems redundant. Maybe we need a flag to bookkeeping if ccs is sent or not.

System information

This issue doesn't happen in development branch. (i.e. MVP). It happens in the tls13-prototype branch.

Mbed TLS version (number or commit id): Operating system and version: Configuration (if not default, please attach mbedtls_config.h): Compiler and options (if you used a pre-built binary, please indicate how you obtained it): Additional environment information:

Expected behavior

Only one ccs should be sent.

Actual behavior

Two ccs may be sent.

Steps to reproduce

programs/ssl/ssl_client2 server_addr=::1 server_port=4433 debug_level=5 force_version=tls1_3

Check write change cipher spec in the log

ssl_tls13_client.c:1993: |2| <= write client hello
ssl_msg.c:2140: |2| => flush output
ssl_msg.c:2152: |2| <= flush output
ssl_tls13_client.c:4111: |2| tls1_3 client state: 31
ssl_msg.c:2140: |2| => flush output
ssl_msg.c:2152: |2| <= flush output
ssl_tls13_generic.c:0284: |2| => write change cipher spec
ssl_tls13_generic.c:0324: |2| <= write change cipher spec
ssl_msg.c:2140: |2| => flush output

..
ssl_tls13_client.c:0969: |2| <= write EndOfEarlyData
ssl_msg.c:2140: |2| => flush output
ssl_msg.c:2152: |2| <= flush output
ssl_tls13_client.c:4111: |2| tls1_3 client state: 30
ssl_msg.c:2140: |2| => flush output
ssl_msg.c:2152: |2| <= flush output
ssl_tls13_generic.c:0284: |2| => write change cipher spec
...
ssl_msg.c:2861: |2| <= write record
ssl_tls13_generic.c:0324: |2| <= write change cipher spec
ssl_msg.c:2140: |2| => flush output
ssl_msg.c:2152: |2| <= flush output
ssl_tls13_client.c:4111: |2| tls1_3 client state: 7

hannestschofenig / mbedtls