diff options
| author | Roland Shoemaker <roland@golang.org> | 2026-01-26 10:55:32 -0800 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2026-01-28 08:13:28 -0800 |
| commit | 133b339ca546937919ee3a8027f15470ebeb88b9 (patch) | |
| tree | c49d90807ce8bac22aecf5bd8c7764dcadc5b68c /src/crypto/tls/handshake_server_tls13.go | |
| parent | 4f9c3439a37314e63bdae7dad7abfded1647bed2 (diff) | |
| download | go-133b339ca546937919ee3a8027f15470ebeb88b9.tar.xz | |
crypto/tls: add verifiedChains expiration checking during resumption
When resuming a session, check that the verifiedChains contain at least
one chain that is still valid at the time of resumption. If not, trigger
a new handshake.
Updates #77113
Updates #77217
Updates CVE-2025-68121
Change-Id: I14f585c43da17802513cbdd5b10c552d7a38b34e
Reviewed-on: https://go-review.googlesource.com/c/go/+/739321
Reviewed-by: Coia Prant <coiaprant@gmail.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Diffstat (limited to 'src/crypto/tls/handshake_server_tls13.go')
| -rw-r--r-- | src/crypto/tls/handshake_server_tls13.go | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go index b066924e29..11dbaa9f0a 100644 --- a/src/crypto/tls/handshake_server_tls13.go +++ b/src/crypto/tls/handshake_server_tls13.go @@ -370,7 +370,7 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error { continue } if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven && - len(sessionState.verifiedChains) == 0 { + !anyUnexpiredChain(sessionState.verifiedChains, c.config.time()) { continue } |