From 0812bc1768cedc420adc03e86893d798fa19e872 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Wed, 1 Feb 2023 14:38:53 -0500
Subject: [PATCH] be more careful about session established.  Fixes #4878

---
 src/main/tls.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/main/tls.c b/src/main/tls.c
index 5ca2f5fed250..4f34d70faccc 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -5338,7 +5338,13 @@ fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request)
 		return FR_TLS_FAIL;
 
 	case handshake:
-		if ((ssn->is_init_finished) && (ssn->dirty_out.used == 0)) {
+		if (ssn->dirty_out.used > 0) {
+			RDEBUG2("(TLS) Peer ACKed our handshake fragment");
+			/* Fragmentation handler, send next fragment */
+			return FR_TLS_REQUEST;
+		}
+
+		if (ssn->is_init_finished || SSL_is_init_finished(ssn->ssl)) {
 			RDEBUG2("(TLS) Peer ACKed our handshake fragment.  handshake is finished");
 
 			/*
@@ -5350,9 +5356,8 @@ fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request)
 			return FR_TLS_SUCCESS;
 		} /* else more data to send */
 
-		RDEBUG2("(TLS) Peer ACKed our handshake fragment");
-		/* Fragmentation handler, send next fragment */
-		return FR_TLS_REQUEST;
+		REDEBUG("(TLS) Cannot continue, as the peer is misbehaving.");
+		return FR_TLS_FAIL;
 
 	case application_data:
 		RDEBUG2("(TLS) Peer ACKed our application data fragment");