CertificateStatus is optional.

Because RFC 6066 is obnoxious like that and IIS servers actually do this
when OCSP-stapling is configured, but the OCSP server cannot be reached.

BUG=478947

Change-Id: I3d34c1497e0b6b02d706278dcea5ceb684ff60ae
Reviewed-on: https://boringssl-review.googlesource.com/4461
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin 2015-04-20 18:26:52 -04:00 committed by Adam Langley
parent 2c6080f192
commit dcd979f1a4
4 changed files with 26 additions and 2 deletions

View File

@ -1575,12 +1575,19 @@ int ssl3_get_cert_status(SSL *s) {
n = s->method->ssl_get_message( n = s->method->ssl_get_message(
s, SSL3_ST_CR_CERT_STATUS_A, SSL3_ST_CR_CERT_STATUS_B, s, SSL3_ST_CR_CERT_STATUS_A, SSL3_ST_CR_CERT_STATUS_B,
SSL3_MT_CERTIFICATE_STATUS, 16384, ssl_hash_message, &ok); -1, 16384, ssl_hash_message, &ok);
if (!ok) { if (!ok) {
return n; return n;
} }
if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_STATUS) {
/* A server may send status_request in ServerHello and then change
* its mind about sending CertificateStatus. */
s->s3->tmp.reuse_message = 1;
return 1;
}
CBS_init(&certificate_status, s->init_msg, n); CBS_init(&certificate_status, s->init_msg, n);
if (!CBS_get_u8(&certificate_status, &status_type) || if (!CBS_get_u8(&certificate_status, &status_type) ||
status_type != TLSEXT_STATUSTYPE_ocsp || status_type != TLSEXT_STATUSTYPE_ocsp ||

View File

@ -434,6 +434,11 @@ type ProtocolBugs struct {
// HelloVerifyRequest message. // HelloVerifyRequest message.
SkipHelloVerifyRequest bool SkipHelloVerifyRequest bool
// SkipCertificateStatus, if true, causes the server to skip the
// CertificateStatus message. This is legal because CertificateStatus is
// optional, even with a status_request in ServerHello.
SkipCertificateStatus bool
// SkipServerKeyExchange causes the server to skip sending // SkipServerKeyExchange causes the server to skip sending
// ServerKeyExchange messages. // ServerKeyExchange messages.
SkipServerKeyExchange bool SkipServerKeyExchange bool

View File

@ -521,7 +521,7 @@ func (hs *serverHandshakeState) doFullHandshake() error {
} }
} }
if hs.hello.ocspStapling { if hs.hello.ocspStapling && !c.config.Bugs.SkipCertificateStatus {
certStatus := new(certificateStatusMsg) certStatus := new(certificateStatusMsg)
certStatus.statusType = statusTypeOCSP certStatus.statusType = statusTypeOCSP
certStatus.response = hs.cert.OCSPStaple certStatus.response = hs.cert.OCSPStaple

View File

@ -300,6 +300,18 @@ var testCases = []testCase{
shouldFail: true, shouldFail: true,
expectedError: ":UNEXPECTED_MESSAGE:", expectedError: ":UNEXPECTED_MESSAGE:",
}, },
{
name: "SkipCertificateStatus",
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Bugs: ProtocolBugs{
SkipCertificateStatus: true,
},
},
flags: []string{
"-enable-ocsp-stapling",
},
},
{ {
name: "SkipServerKeyExchange", name: "SkipServerKeyExchange",
config: Config{ config: Config{