New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: Prevent Go stdlib from overwriting our very first tls ticket key #785

Merged

mark-kubacki merged 1 commit into master from fix-tls-ww-race

Apr 23, 2016

mark-kubacki commented Apr 23, 2016

No description provided.


          tls: Prevent Go stdlib from overwriting our very first tls ticket key

25fc0c6

[1] https://github.com/golang/go/blob/57e459e02b4b01567f92542f92cd9afde209e193/src/crypto/tls/common.go#L424
[2] https://github.com/golang/go/blob/57e459e02b4b01567f92542f92cd9afde209e193/src/crypto/tls/common.go#L392-L407

[2] has overwritten the first tls ticket key on round N=0, that has previously
been written using [1].

Go's stdlib does not use c.sessionTicketKeys≥1 as indicator if those values had
already been set; initializing that lone SessionTicketKey does the job for for
now.
    If c.serverInit() were called in round N+1 all existing tls ticket keys
are being overwritten (in round N<4 except the very first one, of course).
Member variables for tls.Config are read-only by then, so we cannot just keep
updating SessionTicketKey as well.

This has been escalated to upstream with golang/go#15421 here:
golang/go#15421

Thanks to Matthew Holt for the initial report!

mark-kubacki merged commit 6f5cff5 into master

mark-kubacki deleted the fix-tls-ww-race branch

April 24, 2016 17:54

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment