Reject empty records of unexpected type.

The old empty record logic discarded the records at a very low-level.
Let the error bubble up to ssl3_read_bytes so the type mismatch logic
may kick in before the empty record is skipped.

Add tests for when the record in question is application data, before
before the handshake and post ChangeCipherSpec.


Change-Id: I47dff389cda65d6672b9be39d7d89490331063fa
Reviewed-by: Adam Langley <>
7 files changed