From 16688ac2f81e05c406c2b56a6df2fd7373aa2958 Mon Sep 17 00:00:00 2001
From: RPRX <63339210+RPRX@users.noreply.github.com>
Date: Tue, 7 Mar 2023 13:58:10 +0000
Subject: [PATCH] crypto/tls: reject change_cipher_spec record after handshake
 in TLS 1.3

---
 src/crypto/tls/conn.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/crypto/tls/conn.go b/src/crypto/tls/conn.go
index a5e19dcc52..1eb0ffc871 100644
--- a/src/crypto/tls/conn.go
+++ b/src/crypto/tls/conn.go
@@ -728,7 +728,7 @@ func (c *Conn) readRecordOrCCS(expectChangeCipherSpec bool) error {
 		// 5, a server can send a ChangeCipherSpec before its ServerHello, when
 		// c.vers is still unset. That's not useful though and suspicious if the
 		// server then selects a lower protocol version, so don't allow that.
-		if c.vers == VersionTLS13 {
+		if c.vers == VersionTLS13 && !handshakeComplete {
 			return c.retryReadRecord(expectChangeCipherSpec)
 		}
 		if !expectChangeCipherSpec {