tris: tolerate NSS sending obfuscated_ticket_age as seconds
This commit is contained in:
parent
faefac5f1a
commit
1bc19494f8
4
13.go
4
13.go
@ -436,9 +436,13 @@ func (hs *serverHandshakeState) checkPSK() (earlySecret []byte, ok bool) {
|
|||||||
}
|
}
|
||||||
clientAge := time.Duration(hs.clientHello.psks[i].obfTicketAge-s.ageAdd) * time.Millisecond
|
clientAge := time.Duration(hs.clientHello.psks[i].obfTicketAge-s.ageAdd) * time.Millisecond
|
||||||
serverAge := time.Since(time.Unix(int64(s.createdAt), 0))
|
serverAge := time.Since(time.Unix(int64(s.createdAt), 0))
|
||||||
|
if clientAge-serverAge > ticketAgeSkewAllowance || clientAge-serverAge < -ticketAgeSkewAllowance {
|
||||||
|
// XXX: NSS is off spec and sends obfuscated_ticket_age as seconds
|
||||||
|
clientAge = time.Duration(hs.clientHello.psks[i].obfTicketAge-s.ageAdd) * time.Second
|
||||||
if clientAge-serverAge > ticketAgeSkewAllowance || clientAge-serverAge < -ticketAgeSkewAllowance {
|
if clientAge-serverAge > ticketAgeSkewAllowance || clientAge-serverAge < -ticketAgeSkewAllowance {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// This enforces the stricter 0-RTT requirements on all ticket uses.
|
// This enforces the stricter 0-RTT requirements on all ticket uses.
|
||||||
// The benefit of using PSK+ECDHE without 0-RTT are small enough that
|
// The benefit of using PSK+ECDHE without 0-RTT are small enough that
|
||||||
|
Loading…
Reference in New Issue
Block a user