Commit Graph

225 Commits

Author SHA1 Message Date
Jonathan Rudenberg
28ca92f12d crypto/tls: add OCSP response to ConnectionState
The OCSP response is currently only exposed via a method on Conn,
which makes it inaccessible when using wrappers like net/http. The
ConnectionState structure is typically available even when using
wrappers and contains many of the other handshake details, so this
change exposes the stapled OCSP response in that structure.

Change-Id: If8dab49292566912c615d816321b4353e711f71f
Reviewed-on: https://go-review.googlesource.com/9361
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
2015-04-26 22:00:13 +00:00
Jonathan Rudenberg
03a329f274 crypto/tls: add support for session ticket key rotation
This change adds a new method to tls.Config, SetSessionTicketKeys, that
changes the key used to encrypt session tickets while the server is
running. Additional keys may be provided that will be used to maintain
continuity while rotating keys. If a ticket encrypted with an old key is
provided by the client, the server will resume the session and provide
the client with a ticket encrypted using the new key.

Fixes #9994

Change-Id: Idbc16b10ff39616109a51ed39a6fa208faad5b4e
Reviewed-on: https://go-review.googlesource.com/9072
Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com>
Reviewed-by: Adam Langley <agl@golang.org>
2015-04-26 20:57:28 +00:00
Jonathan Rudenberg
8ea126be4d crypto/tls: add support for Certificate Transparency
This change adds support for serving and receiving Signed Certificate
Timestamps as described in RFC 6962.

The server is now capable of serving SCTs listed in the Certificate
structure. The client now asks for SCTs and, if any are received,
they are exposed in the ConnectionState structure.

Fixes #10201

Change-Id: Ib3adae98cb4f173bc85cec04d2bdd3aa0fec70bb
Reviewed-on: https://go-review.googlesource.com/8988
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com>
2015-04-26 16:53:11 +00:00
Jonathan Rudenberg
65d33c3580 crypto/tls: fix test data generation
- Multiple GetCertificate tests shared the same name and were
  overwriting each other, each test now has a unique name.
- expectAlert was not implemented in the data updater, the single
  test that used it has been replaced with a ClientHello failure
  test.

Fixes #10470

Change-Id: I500738f6302ffa863d7ee45d85fa8773155e0614
Reviewed-on: https://go-review.googlesource.com/8959
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
2015-04-16 18:16:37 +00:00
Adam Langley
0c7dc105c1 crypto/tls: tidy up a little and add test.
This is a follow on to 28f33b4a which removes one of the boolean flags
and adds a test for the key-driven cipher selection.

Change-Id: If2a400de807eb19110352912a9f467491cc8986c
Reviewed-on: https://go-review.googlesource.com/8428
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Jacob Haven <jacob@cloudflare.com>
2015-04-04 00:06:21 +00:00
Jacob H. Haven
14accaf7f3 crypto/tls: make use of crypto.Signer and crypto.Decrypter
This change replaces all direct ECDSA/RSA sign and decrypt operations
with calls through the crypto.Signer and crypto.Decrypter interfaces.

This is a follow-up to https://go-review.googlesource.com/#/c/3900/
which added crypto.Decrypter and implemented it for RSA.

Change-Id: Ie0f3928448b285f329efcd3a93ca3fd5e3b3e42d
Reviewed-on: https://go-review.googlesource.com/7804
Reviewed-by: Adam Langley <agl@golang.org>
2015-04-02 23:19:57 +00:00
Matt Bostock
1282c034fb crypto/tls: Correct minimum version in comment
Commit 604fa4d5 made TLS 1.0 the default minimum version. This commit
amends a comment to reflect that.

This is where the default is used in the absence of an explicit version
being set:
edadffa2f3/src/crypto/tls/common.go (L391-L393)

Change-Id: I8f1117ecdddc85bb1cc76a6834026505a380b793
Reviewed-on: https://go-review.googlesource.com/5525
Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com>
Reviewed-by: Minux Ma <minux@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-03-25 12:53:36 +00:00
Josh Bleecher Snyder
9c57dac301 all: use "reports whether" in place of "returns true if(f)"
Comment changes only.

Change-Id: I56848814564c4aa0988b451df18bebdfc88d6d94
Reviewed-on: https://go-review.googlesource.com/7721
Reviewed-by: Rob Pike <r@golang.org>
2015-03-18 15:14:06 +00:00
Adam Langley
c1da171db7 crypto/tls: disable RC4 by default.
RC4 is frowned upon[1] at this point and major providers are disabling it
by default[2].

Those who still need RC4 support in crypto/tls can enable it by
specifying the CipherSuites slice in crypto/tls.Config explicitly.

Fixes #10094.

[1] https://tools.ietf.org/html/rfc7465
[2] https://blog.cloudflare.com/killing-rc4-the-long-goodbye/

Change-Id: Ia03a456f7e7a4362b706392b0e3c4cc93ce06f9f
Reviewed-on: https://go-review.googlesource.com/7647
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-03-18 00:38:14 +00:00
Adam Langley
113bae6283 crypto/tls: panic with unknown hash functions.
Just so that we notice in the future if another hash function is added
without updating this utility function, make it panic when passed an
unknown handshake hash function. (Which should never happen.)

Change-Id: I60a6fc01669441523d8c44e8fbe7ed435e7f04c8
Reviewed-on: https://go-review.googlesource.com/7646
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Joël Stemmer <stemmertech@gmail.com>
2015-03-18 00:37:56 +00:00
Joël Stemmer
c32a7dcd6d crypto/tls: return correct hash function when using client certificates in handshake
Commit f1d669aee994b28e1afcfe974680565932d25b70 added support for
AES_256_GCM_SHA384 cipher suites as specified in RFC5289. However, it
did not take the arbitrary hash function into account in the TLS client
handshake when using client certificates.

The hashForClientCertificate method always returned SHA256 as its
hashing function, even if it actually used a different one to calculate
its digest. Setting up the connection would eventually fail with the
error "tls: failed to sign handshake with client certificate:
crypto/rsa: input must be hashed message".

Included is an additional test for this specific situation that uses the
SHA384 hash.

Fixes #9808

Change-Id: Iccbf4ab225633471ef897907c208ad31f92855a3
Reviewed-on: https://go-review.googlesource.com/7040
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
2015-03-16 23:38:51 +00:00
Joël Stemmer
921f871f9e crypto/tls: fix typo in tls handshake error
Change-Id: Ia9f39250619ea6e94157efceddfb2e02d35f3ae2
Reviewed-on: https://go-review.googlesource.com/7041
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
2015-03-06 18:18:40 +00:00
Adam Langley
fb479af552 crypto/tls: allow larger initial records.
Some servers which misunderstood the point of the CertificateRequest
message send huge reply records. These records are large enough that
they were considered “insane” by the TLS code and rejected.

This change removes the sanity test for record lengths. Although the
maxCiphertext test still remains, just above, which (roughly) enforces
the 16KB protocol limit on record sizes:
https://tools.ietf.org/html/rfc5246#section-6.2.1

Fixes #8928.

Change-Id: Idf89a2561b1947325b7ddc2613dc2da638d7d1c9
Reviewed-on: https://go-review.googlesource.com/5690
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-02-24 19:39:36 +00:00
Péter Surányi
cf73eabe95 all: don't refer to code.google.com/p/go{,-wiki}/
Only documentation / comment changes. Update references to
point to golang.org permalinks or go.googlesource.com/go.
References in historical release notes under doc are left as is.

Change-Id: Icfc14e4998723e2c2d48f9877a91c5abef6794ea
Reviewed-on: https://go-review.googlesource.com/4060
Reviewed-by: Ian Lance Taylor <iant@golang.org>
2015-02-06 14:41:47 +00:00
Jacob H. Haven
e8ae7b54bb crypto/tls: add support for AES_256_GCM_SHA384 cipher suites specified in RFC5289
Generalizes PRF calculation for TLS 1.2 to support arbitrary hashes (SHA-384 instead of SHA-256).
Testdata were all updated to correspond with the new cipher suites in the handshake.

Change-Id: I3d9fc48c19d1043899e38255a53c80dc952ee08f
Reviewed-on: https://go-review.googlesource.com/3265
Reviewed-by: Adam Langley <agl@golang.org>
2015-02-04 00:18:14 +00:00
David Leon Gil
a1363d2ed9 crypto/ecdsa: make Sign safe with broken entropy sources
ECDSA is unsafe to use if an entropy source produces predictable
output for the ephemeral nonces. E.g., [Nguyen]. A simple
countermeasure is to hash the secret key, the message, and
entropy together to seed a CSPRNG, from which the ephemeral key
is derived.

Fixes #9452

--

This is a minimalist (in terms of patch size) solution, though
not the most parsimonious in its use of primitives:

   - csprng_key = ChopMD-256(SHA2-512(priv.D||entropy||hash))
   - reader = AES-256-CTR(k=csprng_key)

This, however, provides at most 128-bit collision-resistance,
so that Adv will have a term related to the number of messages
signed that is significantly worse than plain ECDSA. This does
not seem to be of any practical importance.

ChopMD-256(SHA2-512(x)) is used, rather than SHA2-256(x), for
two sets of reasons:

*Practical:* SHA2-512 has a larger state and 16 more rounds; it
is likely non-generically stronger than SHA2-256. And, AFAIK,
cryptanalysis backs this up. (E.g., [Biryukov] gives a
distinguisher on 47-round SHA2-256 with cost < 2^85.) This is
well below a reasonable security-strength target.

*Theoretical:* [Coron] and [Chang] show that Chop-MD(F(x)) is
indifferentiable from a random oracle for slightly beyond the
birthday barrier. It seems likely that this makes a generic
security proof that this construction remains UF-CMA is
possible in the indifferentiability framework.

--

Many thanks to Payman Mohassel for reviewing this construction;
any mistakes are mine, however. And, as he notes, reusing the
private key in this way means that the generic-group (non-RO)
proof of ECDSA's security given in [Brown] no longer directly
applies.

--

[Brown]: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-54.ps
"Brown. The exact security of ECDSA. 2000"

[Coron]: https://www.cs.nyu.edu/~puniya/papers/merkle.pdf
"Coron et al. Merkle-Damgard revisited. 2005"

[Chang]: https://www.iacr.org/archive/fse2008/50860436/50860436.pdf
"Chang and Nandi. Improved indifferentiability security analysis
of chopMD hash function. 2008"

[Biryukov]: http://www.iacr.org/archive/asiacrypt2011/70730269/70730269.pdf
"Biryukov et al. Second-order differential collisions for reduced
SHA-256. 2011"

[Nguyen]: ftp://ftp.di.ens.fr/pub/users/pnguyen/PubECDSA.ps
"Nguyen and Shparlinski. The insecurity of the elliptic curve
digital signature algorithm with partially known nonces. 2003"

New tests:

  TestNonceSafety: Check that signatures are safe even with a
    broken entropy source.

  TestINDCCA: Check that signatures remain non-deterministic
    with a functional entropy source.

Updated "golden" KATs in crypto/tls/testdata that use ECDSA suites.

Change-Id: I55337a2fbec2e42a36ce719bd2184793682d678a
Reviewed-on: https://go-review.googlesource.com/3340
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-28 01:39:51 +00:00
Brad Fitzpatrick
3519a50a69 crypto/tls: remove return parameter stutter
Per https://golang.org/s/style#named-result-parameters

Change-Id: If69d3e6d3dbef385a0f41e743fa49c25475ca40c
Reviewed-on: https://go-review.googlesource.com/2761
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-13 21:35:11 +00:00
Adam Langley
0581a2f81d crypto/tls: fix renegotiation extension.
There are two methods by which TLS clients signal the renegotiation
extension: either a special cipher suite value or a TLS extension.

It appears that I left debugging code in when I landed support for the
extension because there's a "+ 1" in the switch statement that shouldn't
be there.

The effect of this is very small, but it will break Firefox if
security.ssl.require_safe_negotiation is enabled in about:config.
(Although almost nobody does this.)

This change fixes the original bug and adds a test. Sadly the test is a
little complex because there's no OpenSSL s_client option that mirrors
that behaviour of require_safe_negotiation.

Change-Id: Ia6925c7d9bbc0713e7104228a57d2d61d537c07a
Reviewed-on: https://go-review.googlesource.com/1900
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-01-06 19:50:07 +00:00
Adam Langley
0511e2597e crypto/tls: change default minimum version to TLS 1.0.
SSLv3 (the old minimum) is still supported and can be enabled via the
tls.Config, but this change increases the default minimum version to TLS
1.0. This is now common practice in light of the POODLE[1] attack
against SSLv3's CBC padding format.

[1] https://www.imperialviolet.org/2014/10/14/poodle.html

Fixes #9364.

Change-Id: Ibae6666ee038ceee0cb18c339c393155928c6510
Reviewed-on: https://go-review.googlesource.com/1791
Reviewed-by: Minux Ma <minux@golang.org>
2014-12-18 19:49:41 +00:00
Ben Burkert
18902d24a3 crypto/tls: enable TLS_FALLBACK_SCSV in server with default max version
Fix TLS_FALLBACK_SCSV check when comparing the client version to the
default max version. This enables the TLS_FALLBACK_SCSV check by default
in servers that do not explicitly set a max version in the tls config.

Change-Id: I5a51f9da6d71b79bc6c2ba45032be51d0f704b5e
Reviewed-on: https://go-review.googlesource.com/1776
Reviewed-by: Adam Langley <agl@golang.org>
2014-12-18 19:36:01 +00:00
Adam Langley
4e47a4aef7 crypto/tls: support TLS_FALLBACK_SCSV as a server.
A new attack on CBC padding in SSLv3 was released yesterday[1]. Go only
supports SSLv3 as a server, not as a client. An easy fix is to change
the default minimum version to TLS 1.0 but that seems a little much
this late in the 1.4 process as it may break some things.

Thus this patch adds server support for TLS_FALLBACK_SCSV[2] -- a
mechanism for solving the fallback problem overall. Chrome has
implemented this since February and Google has urged others to do so in
light of yesterday's news.

With this change, clients can indicate that they are doing a fallback
connection and Go servers will be able to correctly reject them.

[1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
[2] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

LGTM=rsc
R=rsc
CC=golang-codereviews
https://golang.org/cl/157090043
2014-10-15 17:54:04 -07:00
Adam Langley
d279bab6f5 crypto/tls: ensure that we don't resume when tickets are disabled.
LGTM=r
R=r, adg, rsc
https://golang.org/cl/148080043
2014-09-26 11:02:09 +10:00
Russ Cox
14e9aa8cf5 crypto/tls: print unexpected error in test
Maybe will help us understand Solaris build failure.

TBR=aram
CC=golang-codereviews
https://golang.org/cl/139290043
2014-09-07 09:07:19 -04:00
Adam Langley
b88cd69926 crypto: add Signer
Signer is an interface to support opaque private keys.
These keys typically result from being kept in special hardware
(i.e. a TPM) although sometimes operating systems provide a
similar interface using process isolation for security rather
than hardware boundaries.

This changes provides interfaces for representing them and
alters crypto/tls so that client certificates can use
opaque keys.

LGTM=bradfitz
R=bradfitz
CC=golang-codereviews, jdeprez
https://golang.org/cl/114680043
2014-08-29 12:36:30 -07:00
Andres Erbsen
16b2f42015 crypto/tls: implement tls-unique channel binding (RFC 5929 section 3).
Tested against GnuTLS and Python.

LGTM=agl
R=golang-codereviews, agl, ashankar
CC=agl, golang-codereviews
https://golang.org/cl/117100043
2014-08-11 16:40:42 -07:00
Percy Wegmann
9e441ebf1d crypto/tls: Added dynamic alternative to NameToCertificate map for SNI
Revised version of https://golang.org/cl/81260045/

LGTM=agl
R=golang-codereviews, gobot, agl, ox
CC=golang-codereviews
https://golang.org/cl/107400043
2014-08-06 11:22:00 -07:00
Adam Langley
5e8d397065 crypto/tls: add ALPN support.
Fixes #6736.

LGTM=mikioh.mikioh
R=bradfitz, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/108710046
2014-08-05 11:36:20 -07:00
Adam Langley
4fe9ec0490 crypto/tls: check curve equation in ECDHE.
This change causes a TLS client and server to verify that received
elliptic curve points are on the expected curve. This isn't actually
necessary in the Go TLS stack, but Watson Ladd has convinced me that
it's worthwhile because it's pretty cheap and it removes the
possibility that some change in the future (e.g. tls-unique) will
depend on it without the author checking that precondition.

LGTM=bradfitz
R=bradfitz
CC=golang-codereviews
https://golang.org/cl/115290046
2014-07-28 15:46:27 -07:00
Asim Shankar
cf213d5c40 crypto/tls: Support ECDSA keys in generate_cert.go
R=golang-codereviews, bradfitz, agl
CC=golang-codereviews
https://golang.org/cl/117180043
2014-07-28 14:46:34 -07:00
Robert Griesemer
601d9250e6 src, misc: applied gofmt -w -s
TBR=rsc
R=golang-codereviews
CC=golang-codereviews
https://golang.org/cl/111770043
2014-07-01 10:28:10 -07:00
Brad Fitzpatrick
38da2b7bd9 crypto/tls: fix typo referencing the required Config field
Thanks to Frithjof Schulze for noticing.

LGTM=adg
R=adg
CC=agl, golang-codereviews, r
https://golang.org/cl/107740043
2014-06-03 18:11:17 +10:00
Robert Griesemer
73687a33ac std lib: fix various typos in comments
Where the spelling changed from British to
US norm (e.g., optimise -> optimize) it follows
the style in that file.

LGTM=adonovan
R=golang-codereviews, adonovan
CC=golang-codereviews
https://golang.org/cl/96980043
2014-05-02 13:17:55 -07:00
Robert Hencke
71f215c69a all: spelling tweaks, A-G
LGTM=ruiu, bradfitz
R=golang-codereviews, bradfitz, ruiu
CC=golang-codereviews
https://golang.org/cl/91840044
2014-04-29 12:44:40 -04:00
Brad Fitzpatrick
89d6b4b257 crypto/tls: don't block on Read of zero bytes
Fixes #7775

LGTM=rsc
R=agl, rsc
CC=golang-codereviews
https://golang.org/cl/88340043
2014-04-15 19:40:00 -07:00
Brad Fitzpatrick
53431b940d crypto/tls: deflake TestConnReadNonzeroAndEOF
Fixes #7683

LGTM=rsc
R=rsc
CC=golang-codereviews
https://golang.org/cl/83080048
2014-04-02 14:31:57 -07:00
Brad Fitzpatrick
a56b0bf7e2 crypto/tls: make Conn.Read return (n, io.EOF) when EOF is next in buffer
Update #3514

An io.Reader is permitted to return either (n, nil)
or (n, io.EOF) on EOF or other error.

The tls package previously always returned (n, nil) for a read
of size n if n bytes were available, not surfacing errors at
the same time.

Amazon's HTTPS frontends like to hang up on clients without
sending the appropriate HTTP headers. (In their defense,
they're allowed to hang up any time, but generally a server
hangs up after a bit of inactivity, not immediately.) In any
case, the Go HTTP client tries to re-use connections by
looking at whether the response headers say to keep the
connection open, and because the connection looks okay, under
heavy load it's possible we'll reuse it immediately, writing
the next request, just as the Transport's always-reading
goroutine returns from tls.Conn.Read and sees (0, io.EOF).

But because Amazon does send an AlertCloseNotify record before
it hangs up on us, and the tls package does its own internal
buffering (up to 1024 bytes) of pending data, we have the
AlertCloseNotify in an unread buffer when our Conn.Read (to
the HTTP Transport code) reads its final bit of data in the
HTTP response body.

This change makes that final Read return (n, io.EOF) when
an AlertCloseNotify record is buffered right after, if we'd
otherwise return (n, nil).

A dependent change in the HTTP code then notes whether a
client connection has seen an io.EOF and uses that as an
additional signal to not reuse a HTTPS connection. With both
changes, the majority of Amazon request failures go
away. Without either one, 10-20 goroutines hitting the S3 API
leads to such an error rate that empirically up to 5 retries
are needed to complete an API call.

LGTM=agl, rsc
R=agl, rsc
CC=golang-codereviews
https://golang.org/cl/76400046
2014-03-25 10:58:35 -07:00
Adam Langley
cb66b63918 encoding/asn1: use GeneralizedTime for times outside the range of UTCTime.
Fixes issue #6976.

LGTM=r
R=golang-codereviews, r
CC=golang-codereviews
https://golang.org/cl/72080044
2014-03-21 11:14:38 -04:00
Brad Fitzpatrick
ab3538d779 crypto/tls: clarify concurrent use of Config
LGTM=r, agl
R=agl, r
CC=golang-codereviews
https://golang.org/cl/77530044
2014-03-20 08:32:06 -07:00
Adam Langley
ef4934a9ed crypto/tls: split connErr to avoid read/write races.
Currently a write error will cause future reads to return that same error.
However, there may have been extra information from a peer pending on
the read direction that is now unavailable.

This change splits the single connErr into errors for the read, write and
handshake. (Splitting off the handshake error is needed because both read
and write paths check the handshake error.)

Fixes #7414.

LGTM=bradfitz, r
R=golang-codereviews, r, bradfitz
CC=golang-codereviews
https://golang.org/cl/69090044
2014-03-03 09:01:44 -05:00
Adam Langley
8d65af24c4 crypto/tls: add DialWithDialer.
While reviewing uses of the lower-level Client API in code, I found
that in many cases, code was using Client only because it needed a
timeout on the connection. DialWithDialer allows a timeout (and
 other values) to be specified without resorting to the low-level API.

LGTM=r
R=golang-codereviews, r, bradfitz
CC=golang-codereviews
https://golang.org/cl/68920045
2014-02-28 09:40:12 -05:00
Adam Langley
24720a0864 crypto/tls: report TLS version in ConnectionState.
Fixes #7231.

LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://golang.org/cl/68250043
2014-02-24 18:01:28 -05:00
Adam Langley
514cfc8a40 crypto/tls: pick ECDHE curves based on server preference.
Currently an ECDHE handshake uses the client's curve preference. This
generally means that we use P-521. However, P-521's strength is
mismatched with the rest of the cipher suite in most cases and we have
a fast, constant-time implementation of P-256.

With this change, Go servers will use P-256 where the client supports
it although that can be overridden in the Config.

LGTM=bradfitz
R=bradfitz
CC=golang-codereviews
https://golang.org/cl/66060043
2014-02-24 17:57:51 -05:00
Adam Langley
2680804ebc crypto/tls: enforce that either ServerName or InsecureSkipVerify be given.
crypto/tls has two functions for creating a client connection: Dial,
which most users are expected to use, and Client, which is the
lower-level API.

Dial does what you expect: it gives you a secure connection to the host
that you specify and the majority of users of crypto/tls appear to work
fine with it.

Client gives more control but needs more care. Specifically, if it
wasn't given a server name in the tls.Config then it didn't check that
the server's certificates match any hostname - because it doesn't have
one to check against. It was assumed that users of the low-level API
call VerifyHostname on the certificate themselves if they didn't supply
a hostname.

A review of the uses of Client both within Google and in a couple of
external libraries has shown that nearly all of them got this wrong.

Thus, this change enforces that either a ServerName or
InsecureSkipVerify is given. This does not affect tls.Dial.

See discussion at https://groups.google.com/d/msg/golang-nuts/4vnt7NdLvVU/b1SJ4u0ikb0J.

Fixes #7342.

LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://golang.org/cl/67010043
2014-02-21 15:56:41 -05:00
Adam Langley
dbe3452407 crypto/x509: add example of using a custom root list.
Fixes #6267.

LGTM=r, josharian
R=golang-codereviews, josharian, r
CC=golang-codereviews
https://golang.org/cl/61020043
2014-02-19 11:18:35 -05:00
Adam Langley
ae10e2fdd9 crypto/tls: improve documentation for ServerName.
Users of the low-level, Client function are frequenctly missing the
fact that, unless they pass a ServerName to the TLS connection then it
cannot verify the certificates against any name.

This change makes it clear that at least one of InsecureSkipVerify and
ServerName should always be set.

LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://golang.org/cl/65440043
2014-02-19 11:17:09 -05:00
Adam Langley
5a2aacff2f crypto/tls: better error messages.
LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://golang.org/cl/60580046
2014-02-12 11:20:01 -05:00
Anthony Martin
8cf5d703de crypto/tls: do not send the current time in hello messages
This reduces the ability to fingerprint TLS connections.

The impeteus for this change was a recent change to OpenSSL
by Nick Mathewson:

http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2016265dfb

LGTM=agl
R=agl
CC=golang-codereviews
https://golang.org/cl/57230043
2014-02-04 10:51:37 -05:00
Gautham Thambidorai
9323f900fd crypto/tls: Client side support for TLS session resumption.
Adam (agl@) had already done an initial review of this CL in a branch.

Added ClientSessionState to Config which now allows clients to keep state
required to resume a TLS session with a server. A client handshake will try
and use the SessionTicket/MasterSecret in this cached state if the server
acknowledged resumption.

We also added support to cache ClientSessionState object in Config that will
be looked up by server remote address during the handshake.

R=golang-codereviews, agl, rsc, agl, agl, bradfitz, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/15680043
2014-01-22 18:24:03 -05:00
Adam Langley
6f38414b48 crypto/tls: support renegotiation extension.
The renegotiation extension was introduced[1] due to an attack by Ray in
which a client's handshake was spliced into a connection that was
renegotiating, thus giving an attacker the ability to inject an
arbitary prefix into the connection.

Go has never supported renegotiation as a server and so this attack
doesn't apply. As a client, it's possible that at some point in the
future the population of servers will be sufficiently updated that
it'll be possible to reject connections where the server hasn't
demonstrated that it has been updated to address this problem.

We're not at that point yet, but it's good for Go servers to support
the extension so that it might be possible to do in the future.

[1] https://tools.ietf.org/search/rfc5746

R=golang-codereviews, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/48580043
2014-01-09 13:38:11 -05:00
Adam Langley
98968dca72 crypto/tls: rework reference tests.
The practice of storing reference connections for testing has worked
reasonably well, but the large blocks of literal data in the .go files
is ugly and updating the tests is a real problem because their number
has grown.

This CL changes the way that reference tests work. It's now possible to
automatically update the tests and the test data is now stored in
testdata/. This should make it easier to implement changes that affect
all connections, like implementing the renegotiation extension.

R=golang-codereviews, r
CC=golang-codereviews
https://golang.org/cl/42060044
2013-12-20 11:37:05 -05:00