diff options
author | Adam Langley <agl@golang.org> | 2012-03-19 12:34:35 -0400 |
---|---|---|
committer | Adam Langley <agl@golang.org> | 2012-03-19 12:34:35 -0400 |
commit | aa1d4170a4f586bf2d9c68097f049977146bd31c (patch) | |
tree | 84580e6679f10de030e90990d60e93d766039c73 | |
parent | d05b3869286a48afbc228992b314f0bf817afc48 (diff) | |
download | go-aa1d4170a4f586bf2d9c68097f049977146bd31c.tar.gz go-aa1d4170a4f586bf2d9c68097f049977146bd31c.zip |
crypto/tls: always send a Certificate message if one was requested.
If a CertificateRequest is received we have to reply with a
Certificate message, even if we don't have a certificate to offer.
Fixes #3339.
R=golang-dev, r, ality
CC=golang-dev
https://golang.org/cl/5845067
-rw-r--r-- | src/pkg/crypto/tls/handshake_client.go | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/src/pkg/crypto/tls/handshake_client.go b/src/pkg/crypto/tls/handshake_client.go index 266eb8f578..2877f17387 100644 --- a/src/pkg/crypto/tls/handshake_client.go +++ b/src/pkg/crypto/tls/handshake_client.go @@ -166,8 +166,11 @@ func (c *Conn) clientHandshake() error { } var certToSend *Certificate + var certRequested bool certReq, ok := msg.(*certificateRequestMsg) if ok { + certRequested = true + // RFC 4346 on the certificateAuthorities field: // A list of the distinguished names of acceptable certificate // authorities. These distinguished names may specify a desired @@ -238,9 +241,14 @@ func (c *Conn) clientHandshake() error { } finishedHash.Write(shd.marshal()) - if certToSend != nil { + // If the server requested a certificate then we have to send a + // Certificate message, even if it's empty because we don't have a + // certificate to send. + if certRequested { certMsg = new(certificateMsg) - certMsg.certificates = certToSend.Certificate + if certToSend != nil { + certMsg.certificates = certToSend.Certificate + } finishedHash.Write(certMsg.marshal()) c.writeRecord(recordTypeHandshake, certMsg.marshal()) } |