Skip to content

Commit

Permalink
crypto/tls: optional "certificate_status" with OCSP
Browse files Browse the repository at this point in the history 
Follows the wording in RFC4366 more precisely which allows a server
to optionally return a "certificate_status" when responding to a
client hello containing "status_request" extension.

fixes golang#8549

Change-Id: Ib02dc9f972da185b25554568fe6f8bc411d9c0b7
Reviewed-on: https://go-review.googlesource.com/86115
Reviewed-by: Adam Langley <agl@golang.org>
  • Loading branch information
@brad-burch @agl
brad-burch authored and agl committed Jan 4, 2018
1 parent de26361 commit 1ecb374
Showing 1 changed file with 20 additions and 12 deletions.
32 changes: 20 additions & 12 deletions handshake_client.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -372,26 +372,34 @@ func (hs *clientHandshakeState) doFullHandshake() error {
}
}

if hs.serverHello.ocspStapling {
msg, err = c.readHandshake()
if err != nil {
return err
}
cs, ok := msg.(*certificateStatusMsg)
if !ok {
msg, err = c.readHandshake()
if err != nil {
return err
}

cs, ok := msg.(*certificateStatusMsg)
if ok {
// RFC4366 on Certificate Status Request:
// The server MAY return a "certificate_status" message.

if !hs.serverHello.ocspStapling {
// If a server returns a "CertificateStatus" message, then the
// server MUST have included an extension of type "status_request"
// with empty "extension_data" in the extended server hello.

c.sendAlert(alertUnexpectedMessage)
return unexpectedMessageError(cs, msg)
return errors.New("tls: received unexpected CertificateStatus message")
}
hs.finishedHash.Write(cs.marshal())

if cs.statusType == statusTypeOCSP {
c.ocspResponse = cs.response
}
}

msg, err = c.readHandshake()
if err != nil {
return err
msg, err = c.readHandshake()
if err != nil {
return err
}
}

keyAgreement := hs.suite.ka(c.vers)
Expand Down

0 comments on commit 1ecb374

Please sign in to comment.