247820ff6bfba6e1b7891f4bfc25511d68761d5d - go

commit	247820ff6bfba6e1b7891f4bfc25511d68761d5d	[log] [tgz]
author	Andrew Gerrand <adg@golang.org>	Thu Sep 25 22:32:20 2014 +0000
committer	Andrew Gerrand <adg@golang.org>	Thu Sep 25 22:32:20 2014 +0000
tree	ea9c90510eb286eafd0db882e6c0333f1c48a625
parent	7935b51b8b5cbc07f572a28dc2f82e03e5fcb449 [diff]

[release-branch.go1.3] crypto/tls: ensure that we don't resume when tickets are disabled

A security bug affects programs that use crypto/tls to implement a TLS server
from Go 1.1 onwards. If the server enables TLS client authentication using
certificates (this is rare) and explicitly sets SessionTicketsDisabled to true
in the tls.Config, then a malicious client can falsely assert ownership of any
client certificate it wishes.

This issue was discovered internally and there is no evidence of exploitation.

Change authored by Adam Langley <agl@golang.org>
https://golang.org/cl/148080043/

src/pkg/crypto/tls/handshake_server.go[diff]
src/pkg/crypto/tls/handshake_server_test.go[diff]
src/pkg/crypto/tls/testdata/Server-TLSv12-IssueTicketPreDisable[Added - diff]
src/pkg/crypto/tls/testdata/Server-TLSv12-ResumeDisabled[Added - diff]
src/pkg/crypto/tls/ticket.go[diff]

5 files changed

tree: ea9c90510eb286eafd0db882e6c0333f1c48a625

api/
doc/
include/
lib/
misc/
src/
test/
.hgignore
.hgtags
AUTHORS
CONTRIBUTORS
favicon.ico
LICENSE
PATENTS
README
robots.txt
VERSION