CertificateStatus is optional.
Because RFC 6066 is obnoxious like that and IIS servers actually do this when OCSP-stapling is configured, but the OCSP server cannot be reached. BUG=478947 Change-Id: I3d34c1497e0b6b02d706278dcea5ceb684ff60ae Reviewed-on: https://boringssl-review.googlesource.com/4461 Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
parent
2c6080f192
commit
dcd979f1a4
@ -1575,12 +1575,19 @@ int ssl3_get_cert_status(SSL *s) {
|
|||||||
|
|
||||||
n = s->method->ssl_get_message(
|
n = s->method->ssl_get_message(
|
||||||
s, SSL3_ST_CR_CERT_STATUS_A, SSL3_ST_CR_CERT_STATUS_B,
|
s, SSL3_ST_CR_CERT_STATUS_A, SSL3_ST_CR_CERT_STATUS_B,
|
||||||
SSL3_MT_CERTIFICATE_STATUS, 16384, ssl_hash_message, &ok);
|
-1, 16384, ssl_hash_message, &ok);
|
||||||
|
|
||||||
if (!ok) {
|
if (!ok) {
|
||||||
return n;
|
return n;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_STATUS) {
|
||||||
|
/* A server may send status_request in ServerHello and then change
|
||||||
|
* its mind about sending CertificateStatus. */
|
||||||
|
s->s3->tmp.reuse_message = 1;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
CBS_init(&certificate_status, s->init_msg, n);
|
CBS_init(&certificate_status, s->init_msg, n);
|
||||||
if (!CBS_get_u8(&certificate_status, &status_type) ||
|
if (!CBS_get_u8(&certificate_status, &status_type) ||
|
||||||
status_type != TLSEXT_STATUSTYPE_ocsp ||
|
status_type != TLSEXT_STATUSTYPE_ocsp ||
|
||||||
|
@ -434,6 +434,11 @@ type ProtocolBugs struct {
|
|||||||
// HelloVerifyRequest message.
|
// HelloVerifyRequest message.
|
||||||
SkipHelloVerifyRequest bool
|
SkipHelloVerifyRequest bool
|
||||||
|
|
||||||
|
// SkipCertificateStatus, if true, causes the server to skip the
|
||||||
|
// CertificateStatus message. This is legal because CertificateStatus is
|
||||||
|
// optional, even with a status_request in ServerHello.
|
||||||
|
SkipCertificateStatus bool
|
||||||
|
|
||||||
// SkipServerKeyExchange causes the server to skip sending
|
// SkipServerKeyExchange causes the server to skip sending
|
||||||
// ServerKeyExchange messages.
|
// ServerKeyExchange messages.
|
||||||
SkipServerKeyExchange bool
|
SkipServerKeyExchange bool
|
||||||
|
@ -521,7 +521,7 @@ func (hs *serverHandshakeState) doFullHandshake() error {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if hs.hello.ocspStapling {
|
if hs.hello.ocspStapling && !c.config.Bugs.SkipCertificateStatus {
|
||||||
certStatus := new(certificateStatusMsg)
|
certStatus := new(certificateStatusMsg)
|
||||||
certStatus.statusType = statusTypeOCSP
|
certStatus.statusType = statusTypeOCSP
|
||||||
certStatus.response = hs.cert.OCSPStaple
|
certStatus.response = hs.cert.OCSPStaple
|
||||||
|
@ -300,6 +300,18 @@ var testCases = []testCase{
|
|||||||
shouldFail: true,
|
shouldFail: true,
|
||||||
expectedError: ":UNEXPECTED_MESSAGE:",
|
expectedError: ":UNEXPECTED_MESSAGE:",
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "SkipCertificateStatus",
|
||||||
|
config: Config{
|
||||||
|
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
|
||||||
|
Bugs: ProtocolBugs{
|
||||||
|
SkipCertificateStatus: true,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
flags: []string{
|
||||||
|
"-enable-ocsp-stapling",
|
||||||
|
},
|
||||||
|
},
|
||||||
{
|
{
|
||||||
name: "SkipServerKeyExchange",
|
name: "SkipServerKeyExchange",
|
||||||
config: Config{
|
config: Config{
|
||||||
|
Loading…
Reference in New Issue
Block a user