From 8cf5d703de4f143385e733054e665128d2cdb1eb Mon Sep 17 00:00:00 2001 From: Anthony Martin Date: Tue, 4 Feb 2014 10:51:37 -0500 Subject: [PATCH] crypto/tls: do not send the current time in hello messages This reduces the ability to fingerprint TLS connections. The impeteus for this change was a recent change to OpenSSL by Nick Mathewson: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2016265dfb LGTM=agl R=agl CC=golang-codereviews https://golang.org/cl/57230043 --- handshake_client.go | 7 +------ handshake_server.go | 9 ++------- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/handshake_client.go b/handshake_client.go index 49ff0d7..dbbccfe 100644 --- a/handshake_client.go +++ b/handshake_client.go @@ -63,12 +63,7 @@ NextCipherSuite: } } - t := uint32(c.config.time().Unix()) - hello.random[0] = byte(t >> 24) - hello.random[1] = byte(t >> 16) - hello.random[2] = byte(t >> 8) - hello.random[3] = byte(t) - _, err := io.ReadFull(c.config.rand(), hello.random[4:]) + _, err := io.ReadFull(c.config.rand(), hello.random) if err != nil { c.sendAlert(alertInternalError) return errors.New("tls: short read from Rand: " + err.Error()) diff --git a/handshake_server.go b/handshake_server.go index ceb032a..e441ccb 100644 --- a/handshake_server.go +++ b/handshake_server.go @@ -146,17 +146,12 @@ Curves: } hs.hello.vers = c.vers - t := uint32(config.time().Unix()) hs.hello.random = make([]byte, 32) - hs.hello.random[0] = byte(t >> 24) - hs.hello.random[1] = byte(t >> 16) - hs.hello.random[2] = byte(t >> 8) - hs.hello.random[3] = byte(t) - hs.hello.secureRenegotiation = hs.clientHello.secureRenegotiation - _, err = io.ReadFull(config.rand(), hs.hello.random[4:]) + _, err = io.ReadFull(config.rand(), hs.hello.random) if err != nil { return false, c.sendAlert(alertInternalError) } + hs.hello.secureRenegotiation = hs.clientHello.secureRenegotiation hs.hello.compressionMethod = compressionNone if len(hs.clientHello.serverName) > 0 { c.serverName = hs.clientHello.serverName