crypto/tls: don't reverify but check certificate expiration on resumption - go - Fork of Go programming language with my patches.

diff options

author	Filippo Valsorda <filippo@golang.org>	2023-05-24 15:49:56 +0200
committer	Gopher Robot <gobot@golang.org>	2023-05-25 00:14:50 +0000
commit	d4bd855cfb5319bfa560251d60a93369c0ce0763 (patch)
tree	dd4ebf0ed61450cfe1519c631ec737ae8235f418 /src/errors
parent	b267db08b22de7a7bbe700530fd9e71ca060610f (diff)
download	go-d4bd855cfb5319bfa560251d60a93369c0ce0763.tar.xz

crypto/tls: don't reverify but check certificate expiration on resumption

We used to inconsistently run certificate verification on the server on resumption, but not on the client. This made TLS 1.3 resumption pretty much useless, as it didn't save bytes, CPU, or round-trips. This requires serializing the verified chains into the session ticket, so it's a tradeoff making the ticket bigger to save computation (and for consistency). The previous behavior also had a "stickyness" issue: if a ticket contained invalid certificates, they would be used even if the client had in the meantime configured valid certificates for a full handshake. We also didn't check expiration on the client side on resumption if InsecureSkipVerify was set. Again for consistency, we do that now. Also, we used to run VerifyPeerCertificates on resumption even if NoClientCerts was set. Fixes #31641 Change-Id: Icc88269ea4adb544fa81158114aae76f3c91a15f Reviewed-on: https://go-review.googlesource.com/c/go/+/497895 Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org>

Diffstat (limited to 'src/errors')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: