aboutsummaryrefslogtreecommitdiff
path: root/src/crypto/tls/handshake_server_tls13.go
diff options
context:
space:
mode:
Diffstat (limited to 'src/crypto/tls/handshake_server_tls13.go')
-rw-r--r--src/crypto/tls/handshake_server_tls13.go8
1 files changed, 7 insertions, 1 deletions
diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
index 11dbaa9f0a..bce94ed2d8 100644
--- a/src/crypto/tls/handshake_server_tls13.go
+++ b/src/crypto/tls/handshake_server_tls13.go
@@ -14,6 +14,7 @@ import (
"crypto/internal/fips140/tls13"
"crypto/rsa"
"crypto/tls/internal/fips140tls"
+ "crypto/x509"
"errors"
"fmt"
"hash"
@@ -369,8 +370,13 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error {
if sessionHasClientCerts && c.config.time().After(sessionState.peerCertificates[0].NotAfter) {
continue
}
+ opts := x509.VerifyOptions{
+ CurrentTime: c.config.time(),
+ Roots: c.config.ClientCAs,
+ KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+ }
if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven &&
- !anyUnexpiredChain(sessionState.verifiedChains, c.config.time()) {
+ !anyValidVerifiedChain(sessionState.verifiedChains, opts) {
continue
}
generated by cgit v1.3 (git 2.53.0) at 2026-04-15 04:09:18 +0000