Commit Graph

131 Commits

Author SHA1 Message Date
03138ec18e TLSv1.3 -draft23: Implementation of signature_algorithms_cert
Tris uses signature_algorithms_cert in order to advertise that it
doesn't support RSA-PSS. See GH#86 for more detailed discussion.
2018-06-29 07:47:50 +01:00
5bdf1af124 TLS1.3 -draft23: Renumber key_share 2018-06-29 07:47:50 +01:00
42d5f61fd6 Set default MinVersion of protocol to TLSv12 2018-03-27 16:03:31 +01:00
c1206cd452 Enable TLS 1.3 (draft-22) as default
* Also alignes some tests which were broken because of this
  change
2018-03-27 16:03:31 +01:00
b05f4a6a51 Adds ID for CA's extension 2018-03-27 08:52:44 +01:00
Filippo Valsorda
2e765efc88 crypto/tls: document VerifyPeerCertificate behavior in relation to ClientAuth
Change-Id: I3ff478912a5a178492d544d2f4ee9cc7570d9acc
Reviewed-on: https://go-review.googlesource.com/84475
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-03-21 16:26:26 +00:00
d3da622def
Revert "Use go 1.10 and aligns with current state of TLS in go/crypto/tls" (#77)
Temporarily reverts update to go1.10
2018-03-21 14:27:31 +00:00
ec236c5591 [PATCH] all: use HTTPS for iana.org links
This is merge of commit 5158aab7d662e274aed870ae6bf9cf8ae0786f5b
from https://github.com/golang/go.git for go/crypto/tls only.

iana.org, www.iana.org and data.iana.org all present a valid TLS
certificate, so let's use it when fetching data or linking to
resources to avoid errors in transit.

Reviewed-on: https://go-review.googlesource.com/89416
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-03-13 08:38:50 +00:00
Filippo Valsorda
eaa1196b44 crypto/tls: document VerifyPeerCertificate behavior in relation to ClientAuth
Change-Id: I3ff478912a5a178492d544d2f4ee9cc7570d9acc
Reviewed-on: https://go-review.googlesource.com/84475
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-03-13 08:38:50 +00:00
Peter Wu
a0bab1759d tris: update Server Hello processing for D22
Check SupportedVersions for the actual version and verify that the
server sets the correct SeverHello.legacy_version. Change D21 to D22.
2017-12-13 20:15:00 +00:00
Peter Wu
e89292ccbe tris: convert end_of_early_data to a handshake message
Draft 21 changed end_of_early_data from an alert into a handshake
message to allow it to integrate better with the handshake. This change
does that, rather than handling EOD at the record layer, it moves
processing up to the actual readers of (early) application data.
2017-12-13 17:49:25 +00:00
Peter Wu
fd93e9ecf6 tris: implement D19 and D20 changes for secrets
D19 added an additional pre-extract Derive-Secret stage. D20 shortened
labels. Bump from D18 to D21 with no backwards compat option for now
since older drafts are considered undeployable.
2017-12-13 17:49:25 +00:00
Peter Wu
92d04f3ebd tris: advertise PSS in Client Hello for TLS 1.3
Until PSS support is finalized for TLS 1.2, let's not advertise support
for that. Since TLS 1.3 however mandates PSS, we have no other option
than advertising this even if we have not added complete support.

Another reason why I apply it to just TLS 1.3 and not 1.2 is because the
latter would require updating the testdata.
2017-12-13 17:39:53 +00:00
Peter Wu
9f46cf9e2d crypto/tls: add RSASSA-PSS support for handshake messages
This adds support for RSASSA-PSS signatures in handshake messages as
required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS
when advertised in the Client Hello (this will be done later as the
testdata will change).

Updates #9671

Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
2017-12-13 17:34:03 +00:00
Peter Wu
4e6ebb63dd tris: unify ServerHello processing in preparation for D22
Merge serverHelloMsg13 into serverHelloMsg in preparation for draft 22.
This will also simplify the client implementation since only one
structure has to be checked.

Also fixed potential out-of-bounds access with keyShare unmarshal.
2017-11-24 19:44:22 +00:00
Peter Wu
fa9ccdc8b0 Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream
Merge upstream go post-1.9 crypto/tls changes from master:

d8ee5d11e5 crypto/tls: limit number of consecutive warning alerts
96cd66b266 crypto/tls: advertise support for SHA-512 signatures in 1.2
f265f5db5d archive/zip, crypto/tls: use rand.Read instead of casting ints to bytes
54d04c2fcb crypto/tls: remove bookkeeping code from pHash function
d1bbdbe760 crypto/tls: replace signatureAndHash by SignatureScheme.
cb3b345209 crypto/tls: fix first byte test for 255 CBC padding bytes
d153df8e4b all: revert "all: prefer strings.LastIndexByte over strings.LastIndex"
5e42658fc0 all: prefer bytes.IndexByte over bytes.Index
d2826d3e06 all: prefer strings.LastIndexByte over strings.LastIndex
5a986eca86 all: fix article typos
0f9a2cf2c4 crypto/tls: fix clientHelloMsg fuzzer not to generate the RI SCSV
e7d46cee2f crypto/tls: fix and expand TestVerifyPeerCertificate and TestGetClientCertificate
85deaf6077 crypto/tls: fix docstring of Config.ClientSessionCache
4a5f85babb crypto/tls: disallow handshake messages fragmented across CCS
b3465646ff crypto/tls: add BenchmarkHandshakeServer
d38d357c78 crypto/tls: don't check whether an ec point is on a curve twice
e085a891f0 crypto/tls: split clientHandshake into multiple methods

Conflicts:
 * handshake_client.go: conflict between our ("crypto/tls: allow client to
   pick TLS 1.3, do not enable it by default.") and upstream
   ("crypto/tls: split clientHandshake into multiple methods"), resolve
   by applying the mutualVersion->pickVersion change in pickTLSVersion.
 * handshake_server.go: trivial conflict due to upstreamed patch
   ("crypto/tls: replace signatureAndHash by SignatureScheme.") and
   ("crypto/tls: implement TLS 1.3 server 0-RTT") which added pskBinder.

Other merge changes:
 * tls13.go: signatureAndHashes as added in ("crypto/tls: implement TLS
   1.3 minimal server") was renamed as required by ("crypto/tls: replace
   signatureAndHash by SignatureScheme.").
 * handshake_client.go: moved check from ("crypto/tls: check that client
   cipher suite matches version") to pickCipherSuite as required by
   ("crypto/tls: split clientHandshake into multiple methods").
2017-11-14 14:26:20 +00:00
filewalkwithme
ff1bc5469f crypto/tls: limit number of consecutive warning alerts
In the current implementation, it is possible for a client to
continuously send warning alerts, which are just dropped on the floor
inside readRecord.

This can enable scenarios in where someone can try to continuously
send warning alerts to the server just to keep it busy.

This CL implements a simple counter that triggers an error if
we hit the warning alert limit.

Fixes #22543

Change-Id: Ief0ca10308cf5a4dea21a5a67d3e8f6501912da6
Reviewed-on: https://go-review.googlesource.com/75750
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-11-08 23:18:52 +00:00
Filippo Valsorda
64bffb76ca crypto/tls: advertise support for SHA-512 signatures in 1.2
This is the equivalent change to 1c105980 but for SHA-512.

SHA-512 certificates are already supported by default since b53bb2ca,
but some servers will refuse connections if the algorithm is not
advertised in the overloaded signatureAndHash extension (see 09b238f1).

This required adding support for SHA-512 signatures on CertificateVerify
and ServerKeyExchange messages, because of said overloading.

Some testdata/Client-TLSv1{0,1} files changed because they send a 1.2
ClientHello even if the server picks a lower version.

Closes #22422

Change-Id: I16282d03a3040260d203711ec21e6b20a0e1e105
Reviewed-on: https://go-review.googlesource.com/74950
Run-TryBot: Filippo Valsorda <hi@filippo.io>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2017-11-08 22:39:36 +00:00
Peter Wu
6c380f3bb6 crypto/tls: replace signatureAndHash by SignatureScheme.
Consolidate the signature and hash fields (SignatureAndHashAlgorithm in
TLS 1.2) into a single uint16 (SignatureScheme in TLS 1.3 draft 21).
This makes it easier to add RSASSA-PSS for TLS 1.2 in the future.

Fields were named like "signatureAlgorithm" rather than
"signatureScheme" since that name is also used throughout the 1.3 draft.

The only new public symbol is ECDSAWithSHA1, other than that this is an
internal change with no new functionality.

Change-Id: Iba63d262ab1af895420583ac9e302d9705a7e0f0
Reviewed-on: https://go-review.googlesource.com/62210
Reviewed-by: Adam Langley <agl@golang.org>
2017-10-13 23:25:03 +00:00
Tom Thorogood
710e9e9631 crypto/tls: Use a backing array for getSupportedVersions
Avoid runtime heap memory allocation.

Fixes: ("crypto/tls: allow client to pick TLS 1.3, do not enable it by default.")
2017-10-03 12:38:04 +01:00
Peter Wu
aab74cb372 crypto/tls: allow client to pick TLS 1.3, do not enable it by default.
mutualVersion takes a maximum version, but skips TLS 1.3 because this
version is not negotiated via ClientHello.legacy_version. The server
however still uses its ServerHello.version field to select a version
from the supported_versions extension and the client must do the same.

A new getSupportedVersions method is introduced to have a single place
to handle the mapping of VersionTLS13 to the draft values.

Remove the MaxVersion override to TLS 1.3, users must set MaxVersion if
they intent to use the experimental TLS 1.3 functionality.

Fixes: ("crypto/tls: make 1.3 version negotiation more robust")
2017-09-29 12:47:55 +01:00
Peter Wu
998f77009e crypto/tls: remove TLS13CipherSuites.
To allow clients to advertise both TLS 1.2 and TLS 1.3 cipher suites,
remove the distinction between both suites. TLS 1.3 suites are now
always included in the default cipher list (and the client will send it
if MaxVersion allows for it).

Since TLS 1.3 is expected to become the default MaxVersion and
applications might have set only TLS 1.2 cipher suites in their
configuration, TLS 1.3 cipher suites are added when none are present.

Alternatively, I considered disallowing overriding the TLS 1.3 suites,
but that requires more complexity and has not much benefits. Provide a
mechanism and do not dictate policy, application developers might want
to fix a cipher suite for testing other implementations for example.

Fixes https://github.com/cloudflare/tls-tris/pull/22
2017-09-29 12:47:14 +01:00
Peter Wu
3107d575a8 tris: implement SSLKEYLOGFILE for TLS 1.3 server
This makes it easier to validate the handshake contents using Wireshark.
2017-09-21 15:37:34 +01:00
Filippo Valsorda
7f449cbaa7 tris: add SessionTicketSealer 2017-09-05 21:06:35 +01:00
Filippo Valsorda
4f7b5988a3 crypto/tls: add ConnectionState.Unique0RTTToken 2017-09-05 21:06:35 +01:00
Filippo Valsorda
4191962f25 crypto/tls: use correct alerts
BoGo: Resume-Server-PSKBinderFirstExtension
BoGo: Resume-Server-ExtraPSKBinder
BoGo: Resume-Server-ExtraIdentityNoBinder
BoGo: Renegotiate-Server-Forbidden
BoGo: NoNullCompression
BoGo: TrailingMessageData-*
2017-09-05 21:06:35 +01:00
Filippo Valsorda
922b99e473 crypto/tls: make 1.3 version negotiation more robust
BoGo: IgnoreClientVersionOrder
BoGO: *VersionTolerance
BoGo: RejectFinalTLS13
2017-09-05 21:06:34 +01:00
Filippo Valsorda
f8c15889af crypto/tls: implement TLS 1.3 server 0-RTT 2017-09-05 21:06:34 +01:00
Filippo Valsorda
453bd6af77 crypto/tls: implement TLS 1.3 PSK messages 2017-09-05 21:06:34 +01:00
Filippo Valsorda
8052dc002f tris: extend ConnectionInfo 2017-09-05 21:06:34 +01:00
Filippo Valsorda
4b0d17eca3 crypto/tls: implement TLS 1.3 minimal server 2017-09-05 21:06:29 +01:00
Filippo Valsorda
26a95ba46a [dev.tls] crypto/tls: implement TLS 1.3 cipher suites
I opted for adding a separate TLS13CipherSuites field to the Config
because library users that did not set Config.MaxVersion are
supposed to get TLS 1.3 support automatically, like it has been for
HTTP/2, but having set CipherSuites would effectively disable it.

Updates #9671

Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
2017-09-05 20:29:39 +01:00
Filippo Valsorda
9bc837c453 [dev.tls] crypto/tls: implement TLS 1.3 messages
Updates #9671

Change-Id: Ia1b06ae518a4b2821a584a420d99859a2666c8f0
2017-09-05 20:27:04 +01:00
Filippo Valsorda
7743362eba [dev.tls] crypto/tls: implement TLS 1.3 record layer
Opening the 1.3 dances with the record layer because it has been the
most stable through the drafts, has the least dependencies, and has been
tricky in my experience.

Note that the record layer version check is entirely removed according
to https://tools.ietf.org/html/draft-ietf-tls-tls13-18#appendix-C.2.

A test that happened to hit that check (but was not made to test for it)
has changed to the next error in the stack.

There are no 1.3 tests at the moment, and I suspect they will all have to
wait for the patch cycle to reach interoperability.

Using > / <= VersionTLS13 for all conditionals to transparently support
draft versions and hypotetical future versions.

See https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-5.

Updates #9671

Change-Id: I97f0a59439728f194a1c50b48cff041469a0f00b
2017-09-05 20:27:04 +01:00
Artyom Pervukhin
dd708a5a20 crypto/tls: fix docstring of Config.ClientSessionCache
Closes #21519

Change-Id: I1247e9435de93aae7e4db2b6e8e5be1b010c296b
Reviewed-on: https://go-review.googlesource.com/56832
Reviewed-by: Avelino <t@avelino.xxx>
Reviewed-by: Adam Langley <agl@golang.org>
2017-08-25 22:37:26 +00:00
Adam Langley
b0bcb44715 crypto/tls: pass argument to serverInit rather than using a field in Config.
Updates #20164.

Change-Id: Ib900095e7885f25cd779750674a712c770603ca8
Reviewed-on: https://go-review.googlesource.com/42137
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-05-16 18:23:28 +00:00
Mike Danese
cec37e0cf2 crypto/tls: make Config.Clone also clone the GetClientCertificate field
Using GetClientCertificate with the http client is currently completely
broken because inside the transport we clone the tls.Config and pass it
off to the tls.Client. Since tls.Config.Clone() does not pass forward
the GetClientCertificate field, GetClientCertificate is ignored in this
context.

Fixes #19264

Change-Id: Ie214f9f0039ac7c3a2dab8ffd14d30668bdb4c71
Signed-off-by: Mike Danese <mikedanese@google.com>
Reviewed-on: https://go-review.googlesource.com/37541
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-03-02 19:43:07 +00:00
Максим Федосеев
c9d95e7aac crypto/tls: fix link to more info about channel bindings
Link in the description of TLSUnique field of ConnectionState struct
leads to an article that is no longer available, so this commit
replaces it with link to a copy of the very same article on another
site.

Fixes #18842.

Change-Id: I8f8d298c4774dc0fbbad5042db0684bb3220aee8
Reviewed-on: https://go-review.googlesource.com/36052
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Reviewed-by: Adam Langley <agl@golang.org>
2017-02-08 19:57:15 +00:00
Adam Langley
2fd73e730d crypto/tls: document that only tickets are supported.
This change clarifies that only ticket-based resumption is supported by
crypto/tls. It's not clear where to document this for a server,
although perhaps it's obvious there because there's nowhere to plug in
the storage that would be needed by SessionID-based resumption.

Fixes #18607

Change-Id: Iaaed53e8d8f2f45c2f24c0683052df4be6340922
Reviewed-on: https://go-review.googlesource.com/36560
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-02-08 17:54:06 +00:00
Daniel Martí
6091662fa9 cmd/link, crypto/tls: don't use append loops
Change-Id: Ib47e295e8646b769c30fd81e5c7f20f964df163e
Reviewed-on: https://go-review.googlesource.com/36335
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-02-07 16:42:32 +00:00
Anmol Sethi
c7f1c5bf4e crypto/tls: document ConnectionState.NegotiatedProtocol more clearly
ConnectionState.NegotiatedProtocol's documentation implies that it will
always be from Config.NextProtos. This commit clarifies that there is no
guarantee.

This commit also adds a note to
ConnectionState.NegotiatedProtocolIsMutual, making it clear that it is
client side only.

Fixes #18841

Change-Id: Icd028af8042f31e45575f1080c5e9bd3012e03d7
Reviewed-on: https://go-review.googlesource.com/35917
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-02-01 21:48:27 +00:00
Adam Langley
1ac9b9783b crypto/{cipher,tls,internal/cryptohw}: prioritise AES-GCM when hardware support is present.
Support for ChaCha20-Poly1305 ciphers was recently added to crypto/tls.
These ciphers are preferable in software, but they cannot beat hardware
support for AES-GCM, if present.

This change moves detection for hardware AES-GCM support into
cipher/internal/cipherhw so that it can be used from crypto/tls. Then,
when AES-GCM hardware is present, the AES-GCM cipher suites are
prioritised by default in crypto/tls. (Some servers, such as Google,
respect the client's preference between AES-GCM and ChaCha20-Poly1305.)

Fixes #17779.

Change-Id: I50de2be486f0b0b8052c4628d3e3205a1d54a646
Reviewed-on: https://go-review.googlesource.com/32871
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-11-07 20:01:18 +00:00
Adam Langley
a1b5b4eab5 crypto/tls: add GetClientCertificate callback
Currently, the selection of a client certificate done internally based
on the limitations given by the server's request and the certifcates in
the Config. This means that it's not possible for an application to
control that selection based on details of the request.

This change adds a callback, GetClientCertificate, that is called by a
Client during the handshake and which allows applications to select the
best certificate at that time.

(Based on https://golang.org/cl/25570/ by Bernd Fix.)

Fixes #16626.

Change-Id: Ia4cea03235d2aa3c9fd49c99c227593c8e86ddd9
Reviewed-on: https://go-review.googlesource.com/32115
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-27 17:20:07 +00:00
Adam Langley
ce1c25b814 crypto/tls: add a SignatureScheme type.
The SignatureAndHashAlgorithm from TLS 1.2[1] is being changed to
SignatureScheme in TLS 1.3[2]. (The actual values are compatible
however.)

Since we expect to support TLS 1.3 in the future, we're already using
the name and style of SignatureScheme in the recently augmented
ClientHelloInfo. As this is public API, it seems that SignatureScheme
should have its own type and exported values, which is implemented in
this change.

[1] https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
[2] https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.3

Change-Id: I0482755d02bb9a04eaf075c012696103eb806645
Reviewed-on: https://go-review.googlesource.com/32119
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-10-27 17:11:04 +00:00
Filippo Valsorda
b189f06b5c crypto/tls: expand ClientHelloInfo
Fixes #17430

Change-Id: Ia1c25363d64e3091455ce00644438715aff30a0d
Reviewed-on: https://go-review.googlesource.com/31391
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Filippo Valsorda <hi@filippo.io>
2016-10-26 15:00:29 +00:00
Joshua Boelter
a660d3e993 crypto/tls: add VerifyPeerCertificate to tls.Config
VerifyPeerCertificate returns an error if the peer should not be
trusted. It will be called after the initial handshake and before
any other verification checks on the cert or chain are performed.
This provides the callee an opportunity to augment the certificate
verification.

If VerifyPeerCertificate is not nil and returns an error,
then the handshake will fail.

Fixes #16363

Change-Id: I6a22f199f0e81b6f5d5f37c54d85ab878216bb22
Reviewed-on: https://go-review.googlesource.com/26654
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-24 23:24:11 +00:00
Adam Langley
56db2e9d77 net/http: drop custom tls.Config cloning code.
Now that we have the Clone method on tls.Config, net/http doesn't need
any custom functions to do that any more.

Change-Id: Ib60707d37f1a7f9a7d7723045f83e59eceffd026
Reviewed-on: https://go-review.googlesource.com/31595
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-10-22 17:12:39 +00:00
Adam Langley
826c39c6ef crypto/tls: add Config.GetConfigForClient
GetConfigForClient allows the tls.Config to be updated on a per-client
basis.

Fixes #16066.
Fixes #15707.
Fixes #15699.

Change-Id: I2c675a443d557f969441226729f98502b38901ea
Reviewed-on: https://go-review.googlesource.com/30790
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-18 06:44:05 +00:00
Adam Langley
98052045d9 crypto/tls: enable X25519 by default.
Since this changes the offered curves in the ClientHello, all the test
data needs to be updated too.

Change-Id: I227934711104349c0f0eab11d854e5a2adcbc363
Reviewed-on: https://go-review.googlesource.com/30825
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-12 17:07:31 +00:00
Adam Langley
7ef5c9eac8 crypto/tls: support X25519.
X25519 (RFC 7748) is now commonly used for key agreement in TLS
connections, as specified in
https://tools.ietf.org/html/draft-ietf-tls-curve25519-01.

This change adds support for that in crypto/tls, but does not enabled it
by default so that there's less test noise. A future change will enable
it by default and will update all the test data at the same time.

Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4
Reviewed-on: https://go-review.googlesource.com/30824
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-12 17:04:28 +00:00