tris: tolerate NSS sending obfuscated_ticket_age as seconds
This commit is contained in:
Filippo Valsorda
Peter Wu
parent
faefac5f1a
commit
1bc19494f8
4
13.go
4
13.go
@ -436,9 +436,13 @@ func (hs *serverHandshakeState) checkPSK() (earlySecret []byte, ok bool) {
|
||||
}
|
||||
clientAge := time.Duration(hs.clientHello.psks[i].obfTicketAge-s.ageAdd) * time.Millisecond
|
||||
serverAge := time.Since(time.Unix(int64(s.createdAt), 0))
|
||||
if clientAge-serverAge > ticketAgeSkewAllowance || clientAge-serverAge < -ticketAgeSkewAllowance {
|
||||
// XXX: NSS is off spec and sends obfuscated_ticket_age as seconds
|
||||
clientAge = time.Duration(hs.clientHello.psks[i].obfTicketAge-s.ageAdd) * time.Second
|
||||
if clientAge-serverAge > ticketAgeSkewAllowance || clientAge-serverAge < -ticketAgeSkewAllowance {
|
||||
continue
|
||||
}
|
||||
}
|
||||
|
||||
// This enforces the stricter 0-RTT requirements on all ticket uses.
|
||||
// The benefit of using PSK+ECDHE without 0-RTT are small enough that
|
||||
|
||||
Loading…
Reference in New Issue
Block a user