crypto/tls: add client-side SNI support and PeerCertificates.

SNI (Server Name Indication) is a way for a TLS client to indicate to the server which name it knows the server by. This allows the server to have several names and return the correct certificate for each (virtual hosting). PeerCertificates returns the list of certificates presented by server. R=r CC=golang-dev https://golang.org/cl/1741053

crypto/tls: add client-side SNI support and PeerCertificates.
SNI (Server Name Indication) is a way for a TLS client to indicate to the server which name it knows the server by. This allows the server to have several names and return the correct certificate for each (virtual hosting). PeerCertificates returns the list of certificates presented by server. R=r CC=golang-dev https://golang.org/cl/1741053
7be849d4 · Adam Langley · 8286ee4c · 7be849d4 · 7be849d4 · 7be849d4
Commit 7be849d4 authored Jul 21, 2010 by Adam Langley
4 changed files
--- a/src/pkg/crypto/tls/common.go
+++ b/src/pkg/crypto/tls/common.go
@@ -85,6 +85,9 @@ type Config struct {
 	// NextProtos is a list of supported, application level protocols.
 	// Currently only server-side handling is supported.
 	NextProtos []string
+	// ServerName is included in the client's handshake to support virtual
+	// hosting.
+	ServerName string
 }
 type Certificate struct {

--- a/src/pkg/crypto/tls/conn.go
+++ b/src/pkg/crypto/tls/conn.go
@@ -5,6 +5,7 @@ package tls
 import (
 	"bytes"
 	"crypto/subtle"
+	"crypto/x509"
 	"hash"
 	"io"
 	"net"
@@ -27,6 +28,7 @@ type Conn struct {
 	handshakeComplete bool
 	cipherSuite       uint16
 	ocspResponse      []byte // stapled OCSP response
+	peerCertificates  []*x509.Certificate
 	clientProtocol string
@@ -651,3 +653,12 @@ func (c *Conn) OCSPResponse() []byte {
 	return c.ocspResponse
 }
+// PeerCertificates returns the certificate chain that was presented by the
+// other side.
+func (c *Conn) PeerCertificates() []*x509.Certificate {
+	c.handshakeMutex.Lock()
+	defer c.handshakeMutex.Unlock()
+	return c.peerCertificates
+}
--- a/src/pkg/crypto/tls/handshake_client.go
+++ b/src/pkg/crypto/tls/handshake_client.go
@@ -28,6 +28,7 @@ func (c *Conn) clientHandshake() os.Error {
 		compressionMethods: []uint8{compressionNone},
 		random:             make([]byte, 32),
 		ocspStapling:       true,
+		serverName:         c.config.ServerName,
 	}
 	t := uint32(c.config.Time())
@@ -107,6 +108,8 @@ func (c *Conn) clientHandshake() os.Error {
 		return c.sendAlert(alertUnsupportedCertificate)
 	}
+	c.peerCertificates = certs
 	if serverHello.certStatus {
 		msg, err = c.readHandshake()
 		if err != nil {

--- a/src/pkg/crypto/tls/handshake_messages.go
+++ b/src/pkg/crypto/tls/handshake_messages.go
@@ -100,7 +100,8 @@ func (m *clientHelloMsg) marshal() []byte {
 		//     ServerName server_name_list<1..2^16-1>
 		// } ServerNameList;
-		z[1] = 1
+		z[0] = byte((len(m.serverName) + 3) >> 8)
+		z[1] = byte(len(m.serverName) + 3)
 		z[3] = byte(len(m.serverName) >> 8)
 		z[4] = byte(len(m.serverName))
 		copy(z[5:], []byte(m.serverName))