dtls
dtls copied to clipboard
Add support for session resumption when using client certificates
Description
Previously, if a client submitted a certificate, any session resumption would be ignored in order to mitigate indefinite extension attacks as per https://curl.se/docs/CVE-2016-5419.html, but this prevented improving performance under mutual authentication use cases.
Now if RequireAndVerifyClientCert
/VerifyClientCertIfGiven
are used, the certificate expiry time is recorded in the session struct, allowing the user provided session store to decide what to do with "expired" sessions.
Revocations are still not handled via this mechanism, and the old behaviour can be preserved using the new config PeerCertDisablesSessionResumption
This is going to need some tests.
Codecov Report
Merging #447 (5ce50c0) into master (2a699e1) will increase coverage by
0.05%
. The diff coverage is88.37%
.
@@ Coverage Diff @@
## master #447 +/- ##
==========================================
+ Coverage 75.81% 75.87% +0.05%
==========================================
Files 96 96
Lines 5586 5599 +13
==========================================
+ Hits 4235 4248 +13
Misses 1019 1019
Partials 332 332
Flag | Coverage Δ | |
---|---|---|
go | 75.89% <88.37%> (+0.05%) |
:arrow_up: |
wasm | 66.22% <87.50%> (+0.11%) |
:arrow_up: |
Flags with carried forward coverage won't be shown. Click here to find out more.
Impacted Files | Coverage Δ | |
---|---|---|
config.go | 100.00% <ø> (ø) |
|
handshaker.go | 75.95% <ø> (ø) |
|
state.go | 88.61% <ø> (ø) |
|
flight4handler.go | 77.60% <57.14%> (-0.68%) |
:arrow_down: |
crypto.go | 51.26% <75.00%> (+0.62%) |
:arrow_up: |
conn.go | 80.86% <100.00%> (+0.02%) |
:arrow_up: |
flight5handler.go | 78.24% <100.00%> (+0.23%) |
:arrow_up: |
pkg/crypto/selfsign/selfsign.go | 78.46% <100.00%> (+1.04%) |
:arrow_up: |
internal/net/dpipe/dpipe.go | 94.44% <0.00%> (-2.23%) |
:arrow_down: |
... and 2 more |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact)
,ø = not affected
,? = missing data
Powered by Codecov. Last update 2a699e1...5ce50c0. Read the comment docs.
I can’t really tell from the logs whether the CI is failing due to my changes… if it’s just the commit message linting, I was going to squash everything
Yeah, it's just the commit message. All the other checks passed.