aboutsummaryrefslogtreecommitdiff
path: root/src/crypto/tls/handshake_client.go
diff options
context:
space:
mode:
Diffstat (limited to 'src/crypto/tls/handshake_client.go')
-rw-r--r--src/crypto/tls/handshake_client.go10
1 files changed, 7 insertions, 3 deletions
diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
index c2b1b7037a..d1ad9d582b 100644
--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@@ -397,9 +397,6 @@ func (c *Conn) loadSession(hello *clientHelloMsg) (
return nil, nil, nil, nil
}
- // Check that the cached server certificate is not expired, and that it's
- // valid for the ServerName. This should be ensured by the cache key, but
- // protect the application from a faulty ClientSessionCache implementation.
if c.config.time().After(session.peerCertificates[0].NotAfter) {
// Expired certificate, delete the entry.
c.config.ClientSessionCache.Put(cacheKey, nil)
@@ -411,6 +408,13 @@ func (c *Conn) loadSession(hello *clientHelloMsg) (
return nil, nil, nil, nil
}
if err := session.peerCertificates[0].VerifyHostname(c.config.ServerName); err != nil {
+ // This should be ensured by the cache key, but protect the
+ // application from a faulty ClientSessionCache implementation.
+ return nil, nil, nil, nil
+ }
+ if !anyUnexpiredChain(session.verifiedChains, c.config.time()) {
+ // No valid chains, delete the entry.
+ c.config.ClientSessionCache.Put(cacheKey, nil)
return nil, nil, nil, nil
}
}
generated by cgit v1.3 (git 2.53.0) at 2026-04-15 01:52:12 +0000