diff options
Diffstat (limited to 'src/crypto/tls/handshake_client.go')
-rw-r--r-- | src/crypto/tls/handshake_client.go | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go index ed000eb619..1ff3422148 100644 --- a/src/crypto/tls/handshake_client.go +++ b/src/crypto/tls/handshake_client.go @@ -114,7 +114,10 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) { } if hello.vers >= VersionTLS12 { - hello.supportedSignatureAlgorithms = supportedSignatureAlgorithms + hello.supportedSignatureAlgorithms = supportedSignatureAlgorithms() + } + if testingOnlyForceClientHelloSignatureAlgorithms != nil { + hello.supportedSignatureAlgorithms = testingOnlyForceClientHelloSignatureAlgorithms } var params ecdheParameters @@ -573,7 +576,7 @@ func (hs *clientHandshakeState) doFullHandshake() error { return fmt.Errorf("tls: client certificate private key of type %T does not implement crypto.Signer", chainToSend.PrivateKey) } - signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(key.Public(), certReq.supportedSignatureAlgorithms, supportedSignatureAlgorithmsTLS12, c.vers) + signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(key.Public(), certReq.supportedSignatureAlgorithms, supportedSignatureAlgorithmsTLS12(), c.vers) if err != nil { c.sendAlert(alertInternalError) return err @@ -822,6 +825,8 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error { if !c.config.InsecureSkipVerify { opts := x509.VerifyOptions{ + IsBoring: isBoringCertificate, + Roots: c.config.RootCAs, CurrentTime: c.config.time(), DNSName: c.config.ServerName, |