Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: OCSP and SCTs are dropped in resumed connections #39075

Open
katiehockman opened this issue May 14, 2020 · 3 comments
Open

crypto/tls: OCSP and SCTs are dropped in resumed connections #39075

katiehockman opened this issue May 14, 2020 · 3 comments
Assignees
Milestone

Comments

@katiehockman
Copy link
Member

@katiehockman katiehockman commented May 14, 2020

On resumed connections, the OCSP response and SCTs are dropped on the floor on the client-side. In the case of TLS 1.3, those parameters are available within the Certificate on the sessionStateTLS13 provided to the client, but just currently aren't being used. In the case of TLS 1.2, those parameters aren't included in the session state at all, since the certificates are just passed along as raw bytes. So fixing this for TLS 1.2 and earlier versions will require an update to the sessionState structure.

This will be particularly relevant now that 1.15 will include a VerifyConnection callback on the ConnectionState, which devs will use to access the OCSP responses and SCTs and do any necessary verification against them. Fixing this would be a stabilization fix for that new feature to align with user expectations.

/cc @FiloSottile

@katiehockman katiehockman added this to the Go1.15 milestone May 14, 2020
@katiehockman katiehockman self-assigned this May 14, 2020
@katiehockman katiehockman changed the title crypto/tls: OCSP and SCTs aren't included in resumed connections crypto/tls: OCSP and SCTs are dropped in resumed connections May 14, 2020
@rolandshoemaker
Copy link
Contributor

@rolandshoemaker rolandshoemaker commented May 14, 2020

@katiehockman I'd be interested in taking a crack at this, but don't want to tread on your toes if you're already working on it/planning on it.

@katiehockman
Copy link
Member Author

@katiehockman katiehockman commented May 15, 2020

Go for it! The earliest I would work on it would be the week of May 25, so if you beat me to it then great :)

I'll go ahead and assign it to you for now, and if needed can assign it back to myself later on.

@gopherbot
Copy link

@gopherbot gopherbot commented May 15, 2020

Change https://golang.org/cl/234237 mentions this issue: crypto/tls: restore OCSP and SCTs during session resumption

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.