crypto/tls: optional "certificate_status" with OCSP
Follows the wording in RFC4366 more precisely which allows a server to optionally return a "certificate_status" when responding to a client hello containing "status_request" extension. fixes #8549 Change-Id: Ib02dc9f972da185b25554568fe6f8bc411d9c0b7 Reviewed-on: https://go-review.googlesource.com/86115 Reviewed-by: Adam Langley <agl@golang.org>
This commit is contained in:
parent
2e765efc88
commit
f1a5602bba
@ -444,27 +444,35 @@ func (hs *clientHandshakeState) doFullHandshake() error {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if hs.serverHello.ocspStapling {
|
|
||||||
msg, err = c.readHandshake()
|
msg, err = c.readHandshake()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
cs, ok := msg.(*certificateStatusMsg)
|
cs, ok := msg.(*certificateStatusMsg)
|
||||||
if !ok {
|
if ok {
|
||||||
|
// RFC4366 on Certificate Status Request:
|
||||||
|
// The server MAY return a "certificate_status" message.
|
||||||
|
|
||||||
|
if !hs.serverHello.ocspStapling {
|
||||||
|
// If a server returns a "CertificateStatus" message, then the
|
||||||
|
// server MUST have included an extension of type "status_request"
|
||||||
|
// with empty "extension_data" in the extended server hello.
|
||||||
|
|
||||||
c.sendAlert(alertUnexpectedMessage)
|
c.sendAlert(alertUnexpectedMessage)
|
||||||
return unexpectedMessageError(cs, msg)
|
return errors.New("tls: received unexpected CertificateStatus message")
|
||||||
}
|
}
|
||||||
hs.finishedHash.Write(cs.marshal())
|
hs.finishedHash.Write(cs.marshal())
|
||||||
|
|
||||||
if cs.statusType == statusTypeOCSP {
|
if cs.statusType == statusTypeOCSP {
|
||||||
c.ocspResponse = cs.response
|
c.ocspResponse = cs.response
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
msg, err = c.readHandshake()
|
msg, err = c.readHandshake()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
keyAgreement := hs.suite.ka(c.vers)
|
keyAgreement := hs.suite.ka(c.vers)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user