crypto/tls: check verifiedChains roots when resuming sessions - go - Fork of Go programming language with my patches.

diff options

author	Roland Shoemaker <roland@golang.org>	2026-01-26 11:18:45 -0800
committer	Gopher Robot <gobot@golang.org>	2026-01-28 08:15:14 -0800
commit	026fa9dc597ea8e5280d7531ce7f193ed157cad0 (patch)
tree	7813b366c8c14e02218bb34fae151278aec02e93 /src/runtime
parent	133b339ca546937919ee3a8027f15470ebeb88b9 (diff)
download	go-026fa9dc597ea8e5280d7531ce7f193ed157cad0.tar.xz

crypto/tls: check verifiedChains roots when resuming sessions

When resuming TLS sessions, on the server and client verify that the chains stored in the session state (verifiedChains) are still acceptable with regards to the Config by checking for the inclusion of the root in either ClientCAs (server) or RootCAs (client). This prevents resuming a session with a certificate chain that would be rejected during a full handshake due to an untrusted root. Updates #77113 Updates #77217 Updates CVE-2025-68121 Change-Id: I11fe00909ef1961c24ecf80bf5b97f7b1121d359 Reviewed-on: https://go-review.googlesource.com/c/go/+/737700 Auto-Submit: Roland Shoemaker <roland@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Coia Prant <coiaprant@gmail.com> Reviewed-by: Filippo Valsorda <filippo@golang.org>

Diffstat (limited to 'src/runtime')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: