Merge remote-tracking branch 'mbedtls-3.6' into tls-defragmentation-merge-3.6-20250303
diff --git a/ChangeLog.d/tls-hs-defrag-in.txt b/ChangeLog.d/tls-hs-defrag-in.txt
new file mode 100644
index 0000000..4fd4a4e
--- /dev/null
+++ b/ChangeLog.d/tls-hs-defrag-in.txt
@@ -0,0 +1,12 @@
+Bugfix
+ * Support re-assembly of fragmented handshake messages in TLS, as mandated
+ by the spec. Lack of support was causing handshake failures with some
+ servers, especially with TLS 1.3 in practice (though both protocol
+ version could be affected in principle, and both are fixed now).
+ The initial fragment for each handshake message must be at least 4 bytes.
+
+ Server-side, defragmentation of the ClientHello message is only
+ supported if the server accepts TLS 1.3 (regardless of whether the
+ ClientHello is 1.3 or 1.2). That is, servers configured (either
+ at compile time or at runtime) to only accept TLS 1.2 will
+ still fail the handshake if the ClientHello message is fragmented.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 42fffbf..597da25 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1724,7 +1724,16 @@
int MBEDTLS_PRIVATE(early_data_state);
#endif
- unsigned MBEDTLS_PRIVATE(badmac_seen); /*!< records with a bad MAC received */
+ /** Multipurpose field.
+ *
+ * - DTLS: records with a bad MAC received.
+ * - TLS: accumulated length of handshake fragments (up to \c in_hslen).
+ *
+ * This field is multipurpose in order to preserve the ABI in the
+ * Mbed TLS 3.6 LTS branch. Until 3.6.2, it was only used in DTLS
+ * and called `badmac_seen`.
+ */
+ unsigned MBEDTLS_PRIVATE(badmac_seen_or_in_hsfraglen);
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/** Callback to customize X.509 certificate chain verification */
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 7495ae3..348c319 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -1830,10 +1830,11 @@
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl);
-void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl);
void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
mbedtls_ssl_transform *transform);
-void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial);
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index dcda1d3..7b11e4d 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -25,6 +25,7 @@
#include "constant_time_internal.h"
#include "mbedtls/constant_time.h"
+#include <limits.h>
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -3220,13 +3221,17 @@
int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
{
- if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) {
+ /* First handshake fragment must at least include the header. */
+ if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl) && ssl->in_hslen == 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET,
ssl->in_msglen));
return MBEDTLS_ERR_SSL_INVALID_RECORD;
}
- ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl);
+ if (ssl->in_hslen == 0) {
+ ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl);
+ ssl->badmac_seen_or_in_hsfraglen = 0;
+ }
MBEDTLS_SSL_DEBUG_MSG(3, ("handshake message: msglen ="
" %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %"
@@ -3292,10 +3297,67 @@
}
} else
#endif /* MBEDTLS_SSL_PROTO_DTLS */
- /* With TLS we don't handle fragmentation (for now) */
- if (ssl->in_msglen < ssl->in_hslen) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("TLS handshake fragmentation not supported"));
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ if (ssl->badmac_seen_or_in_hsfraglen <= ssl->in_hslen) {
+ int ret;
+ const size_t hs_remain = ssl->in_hslen - ssl->badmac_seen_or_in_hsfraglen;
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("handshake fragment: %u .. %"
+ MBEDTLS_PRINTF_SIZET " of %"
+ MBEDTLS_PRINTF_SIZET " msglen %" MBEDTLS_PRINTF_SIZET,
+ ssl->badmac_seen_or_in_hsfraglen,
+ (size_t) ssl->badmac_seen_or_in_hsfraglen +
+ (hs_remain <= ssl->in_msglen ? hs_remain : ssl->in_msglen),
+ ssl->in_hslen, ssl->in_msglen));
+ if (ssl->in_msglen < hs_remain) {
+ /* ssl->in_msglen is a 25-bit value since it is the sum of the
+ * header length plus the payload length, the header length is 4
+ * and the payload length was received on the wire encoded as
+ * 3 octets. We don't support 16-bit platforms; more specifically,
+ * we assume that both unsigned and size_t are at least 32 bits.
+ * Therefore there is no possible integer overflow here.
+ */
+ ssl->badmac_seen_or_in_hsfraglen += (unsigned) ssl->in_msglen;
+ ssl->in_hdr = ssl->in_msg + ssl->in_msglen;
+ ssl->in_msglen = 0;
+ mbedtls_ssl_update_in_pointers(ssl);
+ return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+ }
+ if (ssl->badmac_seen_or_in_hsfraglen > 0) {
+ /*
+ * At in_first_hdr we have a sequence of records that cover the next handshake
+ * record, each with its own record header that we need to remove.
+ * Note that the reassembled record size may not equal the size of the message,
+ * there may be more messages after it, complete or partial.
+ */
+ unsigned char *in_first_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
+ unsigned char *p = in_first_hdr, *q = NULL;
+ size_t merged_rec_len = 0;
+ do {
+ mbedtls_record rec;
+ ret = ssl_parse_record_header(ssl, p, mbedtls_ssl_in_hdr_len(ssl), &rec);
+ if (ret != 0) {
+ return ret;
+ }
+ merged_rec_len += rec.data_len;
+ p = rec.buf + rec.buf_len;
+ if (q != NULL) {
+ memmove(q, rec.buf + rec.data_offset, rec.data_len);
+ q += rec.data_len;
+ } else {
+ q = p;
+ }
+ } while (merged_rec_len < ssl->in_hslen);
+ ssl->in_hdr = in_first_hdr;
+ mbedtls_ssl_update_in_pointers(ssl);
+ ssl->in_msglen = merged_rec_len;
+ /* Adjust message length. */
+ MBEDTLS_PUT_UINT16_BE(merged_rec_len, ssl->in_len, 0);
+ ssl->badmac_seen_or_in_hsfraglen = 0;
+ MBEDTLS_SSL_DEBUG_BUF(4, "reassembled record",
+ ssl->in_hdr, mbedtls_ssl_in_hdr_len(ssl) + merged_rec_len);
+ }
+ } else {
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
}
return 0;
@@ -4640,6 +4702,16 @@
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
+ if (ssl->badmac_seen_or_in_hsfraglen != 0) {
+ /* Not all handshake fragments have arrived, do not consume. */
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("waiting for more fragments (%u of %"
+ MBEDTLS_PRINTF_SIZET ", %" MBEDTLS_PRINTF_SIZET " left)",
+ ssl->badmac_seen_or_in_hsfraglen, ssl->in_hslen,
+ ssl->in_hslen - ssl->badmac_seen_or_in_hsfraglen));
+ return 0;
+ }
+
/*
* Get next Handshake message in the current record
*/
@@ -4665,6 +4737,7 @@
ssl->in_msglen -= ssl->in_hslen;
memmove(ssl->in_msg, ssl->in_msg + ssl->in_hslen,
ssl->in_msglen);
+ MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0);
MBEDTLS_SSL_DEBUG_BUF(4, "remaining content in record",
ssl->in_msg, ssl->in_msglen);
@@ -4967,10 +5040,12 @@
return ret;
}
- if (ssl->conf->badmac_limit != 0 &&
- ++ssl->badmac_seen >= ssl->conf->badmac_limit) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("too many records with bad MAC"));
- return MBEDTLS_ERR_SSL_INVALID_MAC;
+ if (ssl->conf->badmac_limit != 0) {
+ ++ssl->badmac_seen_or_in_hsfraglen;
+ if (ssl->badmac_seen_or_in_hsfraglen >= ssl->conf->badmac_limit) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("too many records with bad MAC"));
+ return MBEDTLS_ERR_SSL_INVALID_MAC;
+ }
}
/* As above, invalid records cause
@@ -5339,7 +5414,7 @@
} else
#endif
{
- ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
+ ssl->in_ctr = ssl->in_buf;
ssl->in_len = ssl->in_hdr + 3;
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
ssl->in_cid = ssl->in_len;
@@ -5355,24 +5430,35 @@
* Setup an SSL context
*/
-void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl)
+void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl)
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ ssl->in_hdr = ssl->in_buf;
+ } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+ {
+ ssl->in_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
+ }
+
+ /* Derive other internal pointers. */
+ mbedtls_ssl_update_in_pointers(ssl);
+}
+
+void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl)
{
/* Set the incoming and outgoing record pointers. */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
ssl->out_hdr = ssl->out_buf;
- ssl->in_hdr = ssl->in_buf;
} else
#endif /* MBEDTLS_SSL_PROTO_DTLS */
{
ssl->out_ctr = ssl->out_buf;
- ssl->out_hdr = ssl->out_buf + 8;
- ssl->in_hdr = ssl->in_buf + 8;
+ ssl->out_hdr = ssl->out_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
}
-
/* Derive other internal pointers. */
mbedtls_ssl_update_out_pointers(ssl, NULL /* no transform enabled */);
- mbedtls_ssl_update_in_pointers(ssl);
}
/*
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index c773365..7f74248 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -344,12 +344,13 @@
size_t out_buf_new_len)
{
int modified = 0;
- size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
+ size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0, hdr_in = 0;
size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
if (ssl->in_buf != NULL) {
written_in = ssl->in_msg - ssl->in_buf;
iv_offset_in = ssl->in_iv - ssl->in_buf;
len_offset_in = ssl->in_len - ssl->in_buf;
+ hdr_in = ssl->in_hdr - ssl->in_buf;
if (downsizing ?
ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
ssl->in_buf_len < in_buf_new_len) {
@@ -381,7 +382,10 @@
}
if (modified) {
/* Update pointers here to avoid doing it twice. */
- mbedtls_ssl_reset_in_out_pointers(ssl);
+ ssl->in_hdr = ssl->in_buf + hdr_in;
+ mbedtls_ssl_update_in_pointers(ssl);
+ mbedtls_ssl_reset_out_pointers(ssl);
+
/* Fields below might not be properly updated with record
* splitting or with CID, so they are manually updated here. */
ssl->out_msg = ssl->out_buf + written_out;
@@ -1409,7 +1413,8 @@
goto error;
}
- mbedtls_ssl_reset_in_out_pointers(ssl);
+ mbedtls_ssl_reset_in_pointers(ssl);
+ mbedtls_ssl_reset_out_pointers(ssl);
#if defined(MBEDTLS_SSL_DTLS_SRTP)
memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info));
@@ -1474,7 +1479,8 @@
/* Cancel any possibly running timer */
mbedtls_ssl_set_timer(ssl, 0);
- mbedtls_ssl_reset_in_out_pointers(ssl);
+ mbedtls_ssl_reset_in_pointers(ssl);
+ mbedtls_ssl_reset_out_pointers(ssl);
/* Reset incoming message parsing */
ssl->in_offt = NULL;
@@ -1485,6 +1491,12 @@
ssl->keep_current_message = 0;
ssl->transform_in = NULL;
+ /* TLS: reset in_hsfraglen, which is part of message parsing.
+ * DTLS: on a client reconnect, don't reset badmac_seen. */
+ if (!partial) {
+ ssl->badmac_seen_or_in_hsfraglen = 0;
+ }
+
#if defined(MBEDTLS_SSL_PROTO_DTLS)
ssl->next_record_offset = 0;
ssl->in_epoch = 0;
@@ -5014,7 +5026,7 @@
* uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
* uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
* // fields from ssl_context
- * uint32 badmac_seen; // DTLS: number of records with failing MAC
+ * uint32 badmac_seen_or_in_hsfraglen; // DTLS: number of records with failing MAC
* uint64 in_window_top; // DTLS: last validated record seq_num
* uint64 in_window; // DTLS: bitmask for replay protection
* uint8 disable_datagram_packing; // DTLS: only one record per datagram
@@ -5156,7 +5168,7 @@
*/
used += 4;
if (used <= buf_len) {
- MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen, p, 0);
+ MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen_or_in_hsfraglen, p, 0);
p += 4;
}
@@ -5386,7 +5398,7 @@
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
- ssl->badmac_seen = MBEDTLS_GET_UINT32_BE(p, 0);
+ ssl->badmac_seen_or_in_hsfraglen = MBEDTLS_GET_UINT32_BE(p, 0);
p += 4;
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 03722ac..67df428 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -1057,28 +1057,6 @@
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
}
- {
- size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1);
- MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u",
- (unsigned) handshake_len));
-
- /* The record layer has a record size limit of 2^14 - 1 and
- * fragmentation is not supported, so buf[1] should be zero. */
- if (buf[1] != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0",
- (unsigned) buf[1]));
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- /* We don't support fragmentation of ClientHello (yet?) */
- if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u",
- (unsigned) msg_len,
- (unsigned) mbedtls_ssl_hs_hdr_len(ssl),
- (unsigned) handshake_len));
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
- }
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
diff --git a/programs/ssl/ssl_context_info.c b/programs/ssl/ssl_context_info.c
index 51e8781..b9a0fe8 100644
--- a/programs/ssl/ssl_context_info.c
+++ b/programs/ssl/ssl_context_info.c
@@ -743,6 +743,13 @@
* uint8 alpn_chosen_len;
* uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
*
+ * Note: In the mbedtls_ssl_context structure, badmac_seen is called
+ * badmac_seen_or_in_hsfraglen since Mbed TLS 3.6.2. The field contains
+ * the badmac_seen value in DTLS, and a handshake parsing intermediate
+ * value in non-DTLS TLS. The value is only meaningful for DTLS and should
+ * not be saved in non-DTLS TLS, so in this program, the context info file
+ * filed remains badmac_seen.
+ *
* /p ssl pointer to serialized session
* /p len number of bytes in the buffer
*/
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 301bfc4..7201432 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -53,6 +53,11 @@
# https://github.com/Mbed-TLS/mbedtls/issues/9581
'Opaque key for server authentication: invalid key: decrypt with ECC key, no async',
'Opaque key for server authentication: invalid key: ecdh with RSA key, no async',
+ # Temporary disable Handshake defragmentation tests until mbedtls
+ # pr #10011 has been merged.
+ 'Handshake defragmentation on client: len=4, TLS 1.2',
+ 'Handshake defragmentation on client: len=5, TLS 1.2',
+ 'Handshake defragmentation on client: len=13, TLS 1.2'
],
'test_suite_config.mbedtls_boolean': [
# We never test with CBC/PKCS5/PKCS12 enabled but
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 0376018..2645122 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -14457,6 +14457,529 @@
-c "Handshake was completed" \
-s "dumping .client hello, compression. (2 bytes)"
+# Handshake defragmentation testing
+
+# To guarantee that the handhake messages are large enough and need to be split
+# into fragments, the tests require certificate authentication. The party in control
+# of the fragmentation operations is OpenSSL and will always use server5.crt (548 Bytes).
+requires_certificate_authentication
+run_test "Handshake defragmentation on client (no fragmentation, for reference)" \
+ "$O_NEXT_SRV" \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -C "reassembled record" \
+ -C "waiting for more fragments"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=512, TLS 1.3" \
+ "$O_NEXT_SRV -tls1_3 -split_send_frag 512 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
+ -c "waiting for more fragments (512 of [0-9]\\+"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=512, TLS 1.2" \
+ "$O_NEXT_SRV -tls1_2 -split_send_frag 512 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
+ -c "waiting for more fragments (512 of [0-9]\\+"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=513, TLS 1.3" \
+ "$O_NEXT_SRV -tls1_3 -split_send_frag 513 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
+ -c "waiting for more fragments (513 of [0-9]\\+"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=513, TLS 1.2" \
+ "$O_NEXT_SRV -tls1_2 -split_send_frag 513 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
+ -c "waiting for more fragments (513 of [0-9]\\+"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=256, TLS 1.3" \
+ "$O_NEXT_SRV -tls1_3 -split_send_frag 256 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
+ -c "waiting for more fragments (256 of [0-9]\\+"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=256, TLS 1.2" \
+ "$O_NEXT_SRV -tls1_2 -split_send_frag 256 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
+ -c "waiting for more fragments (256 of [0-9]\\+"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=128, TLS 1.3" \
+ "$O_NEXT_SRV -tls1_3 -split_send_frag 128 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
+ -c "waiting for more fragments (128"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=128, TLS 1.2" \
+ "$O_NEXT_SRV -tls1_2 -split_send_frag 128 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
+ -c "waiting for more fragments (128"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=64, TLS 1.3" \
+ "$O_NEXT_SRV -tls1_3 -split_send_frag 64 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
+ -c "waiting for more fragments (64"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=64, TLS 1.2" \
+ "$O_NEXT_SRV -tls1_2 -split_send_frag 64 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
+ -c "waiting for more fragments (64"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=36, TLS 1.3" \
+ "$O_NEXT_SRV -tls1_3 -split_send_frag 36 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
+ -c "waiting for more fragments (36"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=36, TLS 1.2" \
+ "$O_NEXT_SRV -tls1_2 -split_send_frag 36 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
+ -c "waiting for more fragments (36"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=32, TLS 1.3" \
+ "$O_NEXT_SRV -tls1_3 -split_send_frag 32 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
+ -c "waiting for more fragments (32"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=32, TLS 1.2" \
+ "$O_NEXT_SRV -tls1_2 -split_send_frag 32 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
+ -c "waiting for more fragments (32"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=16, TLS 1.3" \
+ "$O_NEXT_SRV -tls1_3 -split_send_frag 16 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
+ -c "waiting for more fragments (16"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=16, TLS 1.2" \
+ "$O_NEXT_SRV -tls1_2 -split_send_frag 16 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
+ -c "waiting for more fragments (16"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=13, TLS 1.3" \
+ "$O_NEXT_SRV -tls1_3 -split_send_frag 13 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
+ -c "waiting for more fragments (13"
+
+skip_next_test
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=13, TLS 1.2" \
+ "$O_NEXT_SRV -tls1_2 -split_send_frag 13 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
+ -c "waiting for more fragments (13"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=5, TLS 1.3" \
+ "$O_NEXT_SRV -tls1_3 -split_send_frag 5 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
+ -c "waiting for more fragments (5"
+
+skip_next_test
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=5, TLS 1.2" \
+ "$O_NEXT_SRV -tls1_2 -split_send_frag 5 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
+ -c "waiting for more fragments (5"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=4, TLS 1.3" \
+ "$O_NEXT_SRV -tls1_3 -split_send_frag 4 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
+ -c "waiting for more fragments (4"
+
+skip_next_test
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=4, TLS 1.2" \
+ "$O_NEXT_SRV -tls1_2 -split_send_frag 4 " \
+ "$P_CLI debug_level=4 " \
+ 0 \
+ -c "reassembled record" \
+ -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
+ -c "waiting for more fragments (4"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on client: len=3, TLS 1.3" \
+ "$O_NEXT_SRV -tls1_3 -split_send_frag 3 " \
+ "$P_CLI debug_level=4 " \
+ 1 \
+ -c "=> ssl_tls13_process_server_hello" \
+ -c "handshake message too short: 3" \
+ -c "SSL - An invalid SSL record was received"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "Handshake defragmentation on client: len=3, TLS 1.2" \
+ "$O_NEXT_SRV -tls1_2 -split_send_frag 3 " \
+ "$P_CLI debug_level=4 " \
+ 1 \
+ -c "handshake message too short: 3" \
+ -c "SSL - An invalid SSL record was received"
+
+requires_certificate_authentication
+run_test "Handshake defragmentation on server (no fragmentation, for reference)." \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -S "reassembled record" \
+ -S "waiting for more fragments"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=512, TLS 1.3" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_3 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
+ -s "waiting for more fragments (512"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=512, TLS 1.2" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
+ -s "waiting for more fragments (512"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=513, TLS 1.3" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_3 -split_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
+ -s "waiting for more fragments (513"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=513, TLS 1.2" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_2 -split_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
+ -s "waiting for more fragments (513"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=256, TLS 1.3" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_3 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
+ -s "waiting for more fragments (256"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=256, TLS 1.2" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
+ -s "waiting for more fragments (256"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=128, TLS 1.3" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_3 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
+ -s "waiting for more fragments (128"
+
+# Server-side ClientHello defragmentationis only supported for MBEDTLS_SSL_PROTO_TLS1_3. For TLS 1.2 testing
+# the server should suport both protocols and downgrade to client-requested TL1.2 after proccessing the ClientHello.
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=128, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
+ -s "waiting for more fragments (128"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=64, TLS 1.3" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_3 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
+ -s "waiting for more fragments (64"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=64, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_2 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
+ -s "waiting for more fragments (64"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=36, TLS 1.3" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_3 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
+ -s "waiting for more fragments (36"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=36, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_2 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
+ -s "waiting for more fragments (36"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=32, TLS 1.3" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_3 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
+ -s "waiting for more fragments (32"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=32, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
+ -s "waiting for more fragments (32"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=16, TLS 1.3" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_3 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
+ -s "waiting for more fragments (16"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=16, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_2 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
+ -s "waiting for more fragments (16"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=13, TLS 1.3" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_3 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
+ -s "waiting for more fragments (13"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=13, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_2 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
+ -s "waiting for more fragments (13"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=5, TLS 1.3" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_3 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
+ -s "waiting for more fragments (5"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=5, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_2 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
+ -s "waiting for more fragments (5"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=4, TLS 1.3" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_3 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
+ -s "waiting for more fragments (4"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=4, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 0 \
+ -s "reassembled record" \
+ -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
+ -s "waiting for more fragments (4"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=3, TLS 1.3" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_3 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 1 \
+ -s "<= parse client hello" \
+ -s "handshake message too short: 3" \
+ -s "SSL - An invalid SSL record was received"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=3, TLS 1.3 ClientHello -> 1.2 Handshake" \
+ "$P_SRV debug_level=4 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_2 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 1 \
+ -s "<= parse client hello" \
+ -s "handshake message too short: 3" \
+ -s "SSL - An invalid SSL record was received"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello" \
+ "$P_SRV debug_level=4 force_version=tls12 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 1 \
+ -s "The SSL configuration is tls12 only" \
+ -s "bad client hello message" \
+ -s "SSL - A message could not be parsed due to a syntactic error"
+
# Test heap memory usage after handshake
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_MEMORY_DEBUG