src · 46a29138827cefb15e437f291cbb2ccda685b840 · go / golang

crypto/tls: fix ConnectionState().VerifiedChains for resumed connection · 46a29138

Russ Cox authored Aug 05, 2015

Strengthening VerifyHostname exposed the fact that for resumed
connections, ConnectionState().VerifiedChains was not being saved
and restored during the ClientSessionCache operations.
Do that.

This change just saves the verified chains in the client's session
cache. It does not re-verify the certificates when resuming a
connection.

There are arguments both ways about this: we want fast, light-weight
resumption connections (thus suggesting that we shouldn't verify) but
it could also be a little surprising that, if the verification config
is changed, that would be ignored if the same session cache is used.

On the server side we do re-verify client-auth certificates, but the
situation is a little different there. The client session cache is an
object in memory that's reset each time the process restarts. But the
server's session cache is a conceptual object, held by the clients, so
can persist across server restarts. Thus the chance of a change in
verification config being surprisingly ignored is much higher in the
server case.

Fixes #12024.

Change-Id: I3081029623322ce3d9f4f3819659fdd9a381db16
Reviewed-on: https://go-review.googlesource.com/13164Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>

46a29138

Name	Last commit	Last update
..
archive		Loading commit data...
bufio		Loading commit data...
builtin		Loading commit data...
bytes		Loading commit data...
cmd		Loading commit data...
compress		Loading commit data...
container		Loading commit data...
crypto		Loading commit data...
database/sql		Loading commit data...
debug		Loading commit data...
encoding		Loading commit data...
errors		Loading commit data...
expvar		Loading commit data...
flag		Loading commit data...
fmt		Loading commit data...
go		Loading commit data...
hash		Loading commit data...
html		Loading commit data...
image		Loading commit data...
index/suffixarray		Loading commit data...
internal		Loading commit data...
io		Loading commit data...
log		Loading commit data...
math		Loading commit data...
mime		Loading commit data...
net		Loading commit data...
os		Loading commit data...
path		Loading commit data...
reflect		Loading commit data...
regexp		Loading commit data...
runtime		Loading commit data...
sort		Loading commit data...
strconv		Loading commit data...
strings		Loading commit data...
sync		Loading commit data...
syscall		Loading commit data...
testing		Loading commit data...
text		Loading commit data...
time		Loading commit data...
unicode		Loading commit data...
unsafe		Loading commit data...
Make.dist		Loading commit data...
all.bash		Loading commit data...
all.bat		Loading commit data...
all.rc		Loading commit data...
androidtest.bash		Loading commit data...
bootstrap.bash		Loading commit data...
buildall.bash		Loading commit data...
clean.bash		Loading commit data...
clean.bat		Loading commit data...
clean.rc		Loading commit data...
iostest.bash		Loading commit data...
make.bash		Loading commit data...
make.bat		Loading commit data...
make.rc		Loading commit data...
nacltest.bash		Loading commit data...
race.bash		Loading commit data...
race.bat		Loading commit data...
run.bash		Loading commit data...
run.bat		Loading commit data...
run.rc		Loading commit data...