aboutsummaryrefslogtreecommitdiff
path: root/src/crypto/tls/handshake_server.go
diff options
context:
space:
mode:
Diffstat (limited to 'src/crypto/tls/handshake_server.go')
-rw-r--r--src/crypto/tls/handshake_server.go7
1 files changed, 5 insertions, 2 deletions
diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
index 9c3e0f636e..9b05a27251 100644
--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@@ -313,7 +313,8 @@ func (hs *serverHandshakeState) pickCipherSuite() error {
// If we don't have hardware support for AES-GCM, prefer other AEAD
// ciphers even if the client prioritized AES-GCM.
- if !hasAESGCMHardwareSupport {
+ // If BoringCrypto is enabled, always prioritize AES-GCM.
+ if !hasAESGCMHardwareSupport && !boringEnabled {
preferenceList = deprioritizeAES(preferenceList)
}
}
@@ -515,7 +516,7 @@ func (hs *serverHandshakeState) doFullHandshake() error {
}
if c.vers >= VersionTLS12 {
certReq.hasSignatureAlgorithm = true
- certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms
+ certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
}
// An empty list of certificateAuthorities signals to
@@ -786,6 +787,8 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error {
if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
opts := x509.VerifyOptions{
+ IsBoring: isBoringCertificate,
+
Roots: c.config.ClientCAs,
CurrentTime: c.config.time(),
Intermediates: x509.NewCertPool(),
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion