dtls icon indicating copy to clipboard operation
dtls copied to clipboard

Published 20 hours ago verified publisher icon pion

Add support for session resumption when using client certificates

Open eh-steve opened this issue 2 years ago • 4 comments

Description

Previously, if a client submitted a certificate, any session resumption would be ignored in order to mitigate indefinite extension attacks as per https://curl.se/docs/CVE-2016-5419.html, but this prevented improving performance under mutual authentication use cases.

Now if RequireAndVerifyClientCert/VerifyClientCertIfGiven are used, the certificate expiry time is recorded in the session struct, allowing the user provided session store to decide what to do with "expired" sessions.

Revocations are still not handled via this mechanism, and the old behaviour can be preserved using the new config PeerCertDisablesSessionResumption

eh-steve avatar Apr 14 '22 15:04 eh-steve

This is going to need some tests.

daenney avatar Apr 14 '22 15:04 daenney

Codecov Report

Merging #447 (5ce50c0) into master (2a699e1) will increase coverage by 0.05%. The diff coverage is 88.37%.

@@            Coverage Diff             @@
##           master     #447      +/-   ##
==========================================
+ Coverage   75.81%   75.87%   +0.05%     
==========================================
  Files          96       96              
  Lines        5586     5599      +13     
==========================================
+ Hits         4235     4248      +13     
  Misses       1019     1019              
  Partials      332      332
Flag Coverage Δ
go 75.89% <88.37%> (+0.05%) :arrow_up:
wasm 66.22% <87.50%> (+0.11%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
config.go 100.00% <ø> (ø)
handshaker.go 75.95% <ø> (ø)
state.go 88.61% <ø> (ø)
flight4handler.go 77.60% <57.14%> (-0.68%) :arrow_down:
crypto.go 51.26% <75.00%> (+0.62%) :arrow_up:
conn.go 80.86% <100.00%> (+0.02%) :arrow_up:
flight5handler.go 78.24% <100.00%> (+0.23%) :arrow_up:
pkg/crypto/selfsign/selfsign.go 78.46% <100.00%> (+1.04%) :arrow_up:
internal/net/dpipe/dpipe.go 94.44% <0.00%> (-2.23%) :arrow_down:
... and 2 more

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 2a699e1...5ce50c0. Read the comment docs.

codecov[bot] avatar Apr 16 '22 09:04 codecov[bot]

I can’t really tell from the logs whether the CI is failing due to my changes… if it’s just the commit message linting, I was going to squash everything

eh-steve avatar Apr 16 '22 11:04 eh-steve

Yeah, it's just the commit message. All the other checks passed.

daenney avatar Apr 17 '22 09:04 daenney