Fix certificate validation.

asn1: add support for T61String because this is the string type which several www.google.com certificates are now using for fields like CommonName tls: force a handshake in Dial so that certificates are ready afterwards. Fixes #1114. R=rsc CC=golang-dev https://golang.org/cl/2216043
2010-09-20 10:32:08 -04:00 · 2010-09-20 10:32:08 -04:00 · ed8da7bff6
commit ed8da7bff6
parent 657e8dab30
2 changed files with 16 additions and 2 deletions
--- a/conn.go
+++ b/conn.go
@ -675,5 +675,13 @@ func (c *Conn) PeerCertificates() []*x509.Certificate {
 // connecting to host.  If so, it returns nil; if not, it returns an os.Error
 // describing the problem.
 func (c *Conn) VerifyHostname(host string) os.Error {
-	return c.PeerCertificates()[0].VerifyHostname(host)
+	c.handshakeMutex.Lock()
+	defer c.handshakeMutex.Unlock()
+	if !c.isClient {
+		return os.ErrorString("VerifyHostname called on TLS server connection")
+	}
+	if !c.handshakeComplete {
+		return os.ErrorString("TLS handshake has not yet been performed")
+	}
+	return c.peerCertificates[0].VerifyHostname(host)
 }
--- a/tls.go
+++ b/tls.go
@ -67,7 +67,13 @@ func Dial(network, laddr, raddr string) (net.Conn, os.Error) {
 	if err != nil {
 		return nil, err
 	}
-	return Client(c, nil), nil
+	conn := Client(c, nil)
+	err = conn.Handshake()
+	if err == nil {
+		return conn, nil
+	}
+	c.Close()
+	return nil, err
 }

 // LoadX509KeyPair