diff options
Diffstat (limited to 'src/crypto/tls/handshake_server.go')
-rw-r--r-- | src/crypto/tls/handshake_server.go | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go index 9c3e0f636e..9b05a27251 100644 --- a/src/crypto/tls/handshake_server.go +++ b/src/crypto/tls/handshake_server.go @@ -313,7 +313,8 @@ func (hs *serverHandshakeState) pickCipherSuite() error { // If we don't have hardware support for AES-GCM, prefer other AEAD // ciphers even if the client prioritized AES-GCM. - if !hasAESGCMHardwareSupport { + // If BoringCrypto is enabled, always prioritize AES-GCM. + if !hasAESGCMHardwareSupport && !boringEnabled { preferenceList = deprioritizeAES(preferenceList) } } @@ -515,7 +516,7 @@ func (hs *serverHandshakeState) doFullHandshake() error { } if c.vers >= VersionTLS12 { certReq.hasSignatureAlgorithm = true - certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms + certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms() } // An empty list of certificateAuthorities signals to @@ -786,6 +787,8 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error { if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 { opts := x509.VerifyOptions{ + IsBoring: isBoringCertificate, + Roots: c.config.ClientCAs, CurrentTime: c.config.time(), Intermediates: x509.NewCertPool(), |