• Russ Cox's avatar
    crypto/tls: fix ConnectionState().VerifiedChains for resumed connection · 46a29138
    Russ Cox authored
    Strengthening VerifyHostname exposed the fact that for resumed
    connections, ConnectionState().VerifiedChains was not being saved
    and restored during the ClientSessionCache operations.
    Do that.
    
    This change just saves the verified chains in the client's session
    cache. It does not re-verify the certificates when resuming a
    connection.
    
    There are arguments both ways about this: we want fast, light-weight
    resumption connections (thus suggesting that we shouldn't verify) but
    it could also be a little surprising that, if the verification config
    is changed, that would be ignored if the same session cache is used.
    
    On the server side we do re-verify client-auth certificates, but the
    situation is a little different there. The client session cache is an
    object in memory that's reset each time the process restarts. But the
    server's session cache is a conceptual object, held by the clients, so
    can persist across server restarts. Thus the chance of a change in
    verification config being surprisingly ignored is much higher in the
    server case.
    
    Fixes #12024.
    
    Change-Id: I3081029623322ce3d9f4f3819659fdd9a381db16
    Reviewed-on: https://go-review.googlesource.com/13164Reviewed-by: 's avatarRuss Cox <rsc@golang.org>
    Run-TryBot: Russ Cox <rsc@golang.org>
    Reviewed-by: 's avatarAdam Langley <agl@golang.org>
    46a29138
handshake_client.go 18 KB