crypto/tls: optional "certificate_status" with OCSP
Follows the wording in RFC4366 more precisely which allows a server to optionally return a "certificate_status" when responding to a client hello containing "status_request" extension. fixes #8549 Change-Id: Ib02dc9f972da185b25554568fe6f8bc411d9c0b7 Reviewed-on: https://go-review.googlesource.com/86115 Reviewed-by: Adam Langley <agl@golang.org>
This commit is contained in:
parent
2e765efc88
commit
f1a5602bba
@ -444,27 +444,35 @@ func (hs *clientHandshakeState) doFullHandshake() error {
|
||||
}
|
||||
}
|
||||
|
||||
if hs.serverHello.ocspStapling {
|
||||
msg, err = c.readHandshake()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
cs, ok := msg.(*certificateStatusMsg)
|
||||
if !ok {
|
||||
if ok {
|
||||
// RFC4366 on Certificate Status Request:
|
||||
// The server MAY return a "certificate_status" message.
|
||||
|
||||
if !hs.serverHello.ocspStapling {
|
||||
// If a server returns a "CertificateStatus" message, then the
|
||||
// server MUST have included an extension of type "status_request"
|
||||
// with empty "extension_data" in the extended server hello.
|
||||
|
||||
c.sendAlert(alertUnexpectedMessage)
|
||||
return unexpectedMessageError(cs, msg)
|
||||
return errors.New("tls: received unexpected CertificateStatus message")
|
||||
}
|
||||
hs.finishedHash.Write(cs.marshal())
|
||||
|
||||
if cs.statusType == statusTypeOCSP {
|
||||
c.ocspResponse = cs.response
|
||||
}
|
||||
}
|
||||
|
||||
msg, err = c.readHandshake()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
keyAgreement := hs.suite.ka(c.vers)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user