require ALPN during the TLS handshake

2025-04-04 12:47:36 +03:00 · 2019-06-02 00:29:18 +08:00 · 2019-06-02 00:29:18 +08:00 · 979ab75b3b
commit 979ab75b3b
parent 74ddf326c1
21 changed files with 121 additions and 119 deletions
--- a/Changelog.md
+++ b/Changelog.md
@ -5,6 +5,7 @@
 - Implement HTTP/3.
 - Rename `quic.Cookie` to `quic.Token` and `quic.Config.AcceptCookie` to `quic.Config.AcceptToken`.
 - Distinguish between Retry tokens and tokens sent in NEW_TOKEN frames.
 - Enforce application protocol negotiation (via `tls.Config.NextProtos`).
 ## v0.11.0 (2019-04-05)
--- a/benchmark/benchmark_test.go
+++ b/benchmark/benchmark_test.go
@ -35,9 +35,11 @@ func init() {
 					go func() {
 						defer GinkgoRecover()
 						var err error
 						tlsConf := testdata.GetTLSConfig()
 						tlsConf.NextProtos = []string{"benchmark"}
 						ln, err = quic.ListenAddr(
 							"localhost:0",
-							testdata.GetTLSConfig(),
+							tlsConf,
 							&quic.Config{Versions: []protocol.VersionNumber{version}},
 						)
 						Expect(err).ToNot(HaveOccurred())
@ -59,7 +61,7 @@ func init() {
 					addr := <-serverAddr
 					sess, err := quic.DialAddr(
 						addr.String(),
-						&tls.Config{InsecureSkipVerify: true},
+						&tls.Config{InsecureSkipVerify: true, NextProtos: []string{"benchmark"}},
 						&quic.Config{Versions: []protocol.VersionNumber{version}},
 					)
 					Expect(err).ToNot(HaveOccurred())
--- a/go.mod
+++ b/go.mod
@ -6,7 +6,7 @@ require (
 	github.com/cheekybits/genny v1.0.0
 	github.com/golang/mock v1.2.0
 	github.com/marten-seemann/qpack v0.1.0
-	github.com/marten-seemann/qtls v0.2.3
+	github.com/marten-seemann/qtls v0.2.4
 	github.com/onsi/ginkgo v1.7.0
 	github.com/onsi/gomega v1.4.3
 	golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25
--- a/go.sum
+++ b/go.sum
@ -10,8 +10,8 @@ github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/marten-seemann/qpack v0.1.0 h1:/0M7lkda/6mus9B8u34Asqm8ZhHAAt9Ho0vniNuVSVg=
 github.com/marten-seemann/qpack v0.1.0/go.mod h1:LFt1NU/Ptjip0C2CPkhimBz5CGE3WGDAUWqna+CNTrI=
-github.com/marten-seemann/qtls v0.2.3 h1:0yWJ43C62LsZt08vuQJDK1uC1czUc3FJeCLPoNAI4vA=
+github.com/marten-seemann/qtls v0.2.4 h1:mCJ6i1jAqcsm9XODrSGvXECodoAb1STta+TkxJCwCnE=
-github.com/marten-seemann/qtls v0.2.3/go.mod h1:xzjG7avBwGGbdZ8dTGxlBnLArsVKLvwmjgmPuiQEcYk=
+github.com/marten-seemann/qtls v0.2.4/go.mod h1:xzjG7avBwGGbdZ8dTGxlBnLArsVKLvwmjgmPuiQEcYk=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.7.0 h1:WSHQ+IS43OoUrWtD1/bbclrwK8TTH5hzp+umCiuxHgs=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
--- a/integrationtests/self/cancelation_test.go
+++ b/integrationtests/self/cancelation_test.go
@ -1,7 +1,6 @@
 package self_test
 import (
 	"crypto/tls"
 	"fmt"
 	"io"
 	"io/ioutil"
@ -12,7 +11,6 @@ import (
 	quic "github.com/lucas-clemente/quic-go"
 	"github.com/lucas-clemente/quic-go/integrationtests/tools/testserver"
 	"github.com/lucas-clemente/quic-go/internal/testdata"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@ -27,7 +25,7 @@ var _ = Describe("Stream Cancelations", func() {
 		runServer := func() <-chan int32 {
 			numCanceledStreamsChan := make(chan int32)
 			var err error
-			server, err = quic.ListenAddr("localhost:0", testdata.GetTLSConfig(), nil)
+			server, err = quic.ListenAddr("localhost:0", getTLSConfig(), nil)
 			Expect(err).ToNot(HaveOccurred())
 			var canceledCounter int32
@ -65,7 +63,7 @@ var _ = Describe("Stream Cancelations", func() {
 			serverCanceledCounterChan := runServer()
 			sess, err := quic.DialAddr(
 				fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
-				&tls.Config{RootCAs: testdata.GetRootCA()},
+				getTLSClientConfig(),
 				&quic.Config{MaxIncomingUniStreams: numStreams / 2},
 			)
 			Expect(err).ToNot(HaveOccurred())
@ -109,7 +107,7 @@ var _ = Describe("Stream Cancelations", func() {
 			sess, err := quic.DialAddr(
 				fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
-				&tls.Config{RootCAs: testdata.GetRootCA()},
+				getTLSClientConfig(),
 				&quic.Config{MaxIncomingUniStreams: numStreams / 2},
 			)
 			Expect(err).ToNot(HaveOccurred())
@ -157,7 +155,7 @@ var _ = Describe("Stream Cancelations", func() {
 		runClient := func(server quic.Listener) int32 /* number of canceled streams */ {
 			sess, err := quic.DialAddr(
 				fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
-				&tls.Config{RootCAs: testdata.GetRootCA()},
+				getTLSClientConfig(),
 				&quic.Config{MaxIncomingUniStreams: numStreams / 2},
 			)
 			Expect(err).ToNot(HaveOccurred())
@ -192,7 +190,7 @@ var _ = Describe("Stream Cancelations", func() {
 		}
 		It("downloads when the server cancels some streams immediately", func() {
-			server, err := quic.ListenAddr("localhost:0", testdata.GetTLSConfig(), nil)
+			server, err := quic.ListenAddr("localhost:0", getTLSConfig(), nil)
 			Expect(err).ToNot(HaveOccurred())
 			var canceledCounter int32
@ -223,7 +221,7 @@ var _ = Describe("Stream Cancelations", func() {
 		})
 		It("downloads when the server cancels some streams after sending some data", func() {
-			server, err := quic.ListenAddr("localhost:0", testdata.GetTLSConfig(), nil)
+			server, err := quic.ListenAddr("localhost:0", getTLSConfig(), nil)
 			Expect(err).ToNot(HaveOccurred())
 			var canceledCounter int32
@ -259,7 +257,7 @@ var _ = Describe("Stream Cancelations", func() {
 	Context("canceling both read and write side", func() {
 		It("downloads data when both sides cancel streams immediately", func() {
-			server, err := quic.ListenAddr("localhost:0", testdata.GetTLSConfig(), nil)
+			server, err := quic.ListenAddr("localhost:0", getTLSConfig(), nil)
 			Expect(err).ToNot(HaveOccurred())
 			done := make(chan struct{})
@ -293,7 +291,7 @@ var _ = Describe("Stream Cancelations", func() {
 			sess, err := quic.DialAddr(
 				fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
-				&tls.Config{RootCAs: testdata.GetRootCA()},
+				getTLSClientConfig(),
 				&quic.Config{MaxIncomingUniStreams: numStreams / 2},
 			)
 			Expect(err).ToNot(HaveOccurred())
@ -333,7 +331,7 @@ var _ = Describe("Stream Cancelations", func() {
 		})
 		It("downloads data when both sides cancel streams after a while", func() {
-			server, err := quic.ListenAddr("localhost:0", testdata.GetTLSConfig(), nil)
+			server, err := quic.ListenAddr("localhost:0", getTLSConfig(), nil)
 			Expect(err).ToNot(HaveOccurred())
 			done := make(chan struct{})
@ -371,7 +369,7 @@ var _ = Describe("Stream Cancelations", func() {
 			sess, err := quic.DialAddr(
 				fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
-				&tls.Config{RootCAs: testdata.GetRootCA()},
+				getTLSClientConfig(),
 				&quic.Config{MaxIncomingUniStreams: numStreams / 2},
 			)
 			Expect(err).ToNot(HaveOccurred())
--- a/integrationtests/self/conn_id_test.go
+++ b/integrationtests/self/conn_id_test.go
@ -1,7 +1,6 @@
 package self_test
 import (
 	"crypto/tls"
 	"fmt"
 	"io/ioutil"
 	"math/rand"
@ -10,7 +9,6 @@ import (
 	quic "github.com/lucas-clemente/quic-go"
 	"github.com/lucas-clemente/quic-go/integrationtests/tools/testserver"
 	"github.com/lucas-clemente/quic-go/internal/protocol"
 	"github.com/lucas-clemente/quic-go/internal/testdata"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 )
@ -22,7 +20,7 @@ var _ = Describe("Connection ID lengths tests", func() {
 	runServer := func(conf *quic.Config) quic.Listener {
 		GinkgoWriter.Write([]byte(fmt.Sprintf("Using %d byte connection ID for the server\n", conf.ConnectionIDLength)))
-		ln, err := quic.ListenAddr("localhost:0", testdata.GetTLSConfig(), conf)
+		ln, err := quic.ListenAddr("localhost:0", getTLSConfig(), conf)
 		Expect(err).ToNot(HaveOccurred())
 		go func() {
 			defer GinkgoRecover()
@ -48,7 +46,7 @@ var _ = Describe("Connection ID lengths tests", func() {
 		GinkgoWriter.Write([]byte(fmt.Sprintf("Using %d byte connection ID for the client\n", conf.ConnectionIDLength)))
 		cl, err := quic.DialAddr(
 			fmt.Sprintf("localhost:%d", addr.(*net.UDPAddr).Port),
-			&tls.Config{RootCAs: testdata.GetRootCA()},
+			getTLSClientConfig(),
 			conf,
 		)
 		Expect(err).ToNot(HaveOccurred())
--- a/integrationtests/self/deadline_test.go
+++ b/integrationtests/self/deadline_test.go
@ -1,7 +1,6 @@
 package self_test
 import (
 	"crypto/tls"
 	"fmt"
 	"io/ioutil"
 	"net"
@ -9,7 +8,6 @@ import (
 	quic "github.com/lucas-clemente/quic-go"
 	"github.com/lucas-clemente/quic-go/integrationtests/tools/testserver"
 	"github.com/lucas-clemente/quic-go/internal/testdata"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@ -24,7 +22,7 @@ var _ = Describe("Stream deadline tests", func() {
 	BeforeEach(func() {
 		var err error
-		server, err = quic.ListenAddr("localhost:0", testdata.GetTLSConfig(), nil)
+		server, err = quic.ListenAddr("localhost:0", getTLSConfig(), nil)
 		Expect(err).ToNot(HaveOccurred())
 		acceptedStream := make(chan struct{})
 		go func() {
@ -40,7 +38,7 @@ var _ = Describe("Stream deadline tests", func() {
 		sess, err := quic.DialAddr(
 			fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
-			&tls.Config{RootCAs: testdata.GetRootCA()},
+			getTLSClientConfig(),
 			nil,
 		)
 		Expect(err).ToNot(HaveOccurred())
--- a/integrationtests/self/drop_test.go
+++ b/integrationtests/self/drop_test.go
@ -1,7 +1,6 @@
 package self_test
 import (
 	"crypto/tls"
 	"fmt"
 	"math/rand"
 	"net"
@ -11,7 +10,6 @@ import (
 	quic "github.com/lucas-clemente/quic-go"
 	quicproxy "github.com/lucas-clemente/quic-go/integrationtests/tools/proxy"
 	"github.com/lucas-clemente/quic-go/internal/protocol"
 	"github.com/lucas-clemente/quic-go/internal/testdata"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@ -31,7 +29,7 @@ var _ = Describe("Drop Tests", func() {
 		var err error
 		ln, err = quic.ListenAddr(
 			"localhost:0",
-			testdata.GetTLSConfig(),
+			getTLSConfig(),
 			&quic.Config{
 				Versions: []protocol.VersionNumber{version},
 			},
@ -106,7 +104,7 @@ var _ = Describe("Drop Tests", func() {
 						sess, err := quic.DialAddr(
 							fmt.Sprintf("localhost:%d", proxy.LocalPort()),
-							&tls.Config{RootCAs: testdata.GetRootCA()},
+							getTLSClientConfig(),
 							&quic.Config{Versions: []protocol.VersionNumber{version}},
 						)
 						Expect(err).ToNot(HaveOccurred())
--- a/integrationtests/self/handshake_drop_test.go
+++ b/integrationtests/self/handshake_drop_test.go
@ -1,7 +1,6 @@
 package self_test
 import (
 	"crypto/tls"
 	"fmt"
 	mrand "math/rand"
 	"net"
@ -10,7 +9,6 @@ import (
 	quic "github.com/lucas-clemente/quic-go"
 	quicproxy "github.com/lucas-clemente/quic-go/integrationtests/tools/proxy"
 	"github.com/lucas-clemente/quic-go/internal/protocol"
 	"github.com/lucas-clemente/quic-go/internal/testdata"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@ -34,7 +32,7 @@ var _ = Describe("Handshake drop tests", func() {
 		var err error
 		ln, err = quic.ListenAddr(
 			"localhost:0",
-			testdata.GetTLSConfig(),
+			getTLSConfig(),
 			&quic.Config{
 				Versions: []protocol.VersionNumber{version},
 			},
@ -72,7 +70,7 @@ var _ = Describe("Handshake drop tests", func() {
 			}()
 			sess, err := quic.DialAddr(
 				fmt.Sprintf("localhost:%d", proxy.LocalPort()),
-				&tls.Config{RootCAs: testdata.GetRootCA()},
+				getTLSClientConfig(),
 				&quic.Config{Versions: []protocol.VersionNumber{version}},
 			)
 			Expect(err).ToNot(HaveOccurred())
@ -104,7 +102,7 @@ var _ = Describe("Handshake drop tests", func() {
 			}()
 			sess, err := quic.DialAddr(
 				fmt.Sprintf("localhost:%d", proxy.LocalPort()),
-				&tls.Config{RootCAs: testdata.GetRootCA()},
+				getTLSClientConfig(),
 				&quic.Config{Versions: []protocol.VersionNumber{version}},
 			)
 			Expect(err).ToNot(HaveOccurred())
@ -134,7 +132,7 @@ var _ = Describe("Handshake drop tests", func() {
 			}()
 			sess, err := quic.DialAddr(
 				fmt.Sprintf("localhost:%d", proxy.LocalPort()),
-				&tls.Config{RootCAs: testdata.GetRootCA()},
+				getTLSClientConfig(),
 				&quic.Config{Versions: []protocol.VersionNumber{version}},
 			)
 			Expect(err).ToNot(HaveOccurred())
--- a/integrationtests/self/handshake_rtt_test.go
+++ b/integrationtests/self/handshake_rtt_test.go
@ -2,6 +2,7 @@ package self_test
 import (
 	"crypto/tls"
 	"fmt"
 	"net"
 	"time"
@ -9,7 +10,6 @@ import (
 	quicproxy "github.com/lucas-clemente/quic-go/integrationtests/tools/proxy"
 	"github.com/lucas-clemente/quic-go/internal/protocol"
 	"github.com/lucas-clemente/quic-go/internal/testdata"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 )
@ -29,7 +29,7 @@ var _ = Describe("Handshake RTT tests", func() {
 	BeforeEach(func() {
 		acceptStopped = make(chan struct{})
 		serverConfig = &quic.Config{}
-		serverTLSConfig = testdata.GetTLSConfig()
+		serverTLSConfig = getTLSConfig()
 	})
 	AfterEach(func() {
@ -82,22 +82,23 @@ var _ = Describe("Handshake RTT tests", func() {
 		clientConfig := &quic.Config{
 			Versions: protocol.SupportedVersions[1:2],
 		}
-		_, err := quic.DialAddr(proxy.LocalAddr().String(), nil, clientConfig)
+		_, err := quic.DialAddr(
 			proxy.LocalAddr().String(),
 			getTLSClientConfig(),
 			clientConfig,
 		)
 		Expect(err).To(HaveOccurred())
 		// Expect(err.(qerr.ErrorCode)).To(Equal(qerr.InvalidVersion))
 		expectDurationInRTTs(1)
 	})
 	var clientConfig *quic.Config
 	var clientTLSConfig *tls.Config
 	BeforeEach(func() {
 		serverConfig.Versions = []protocol.VersionNumber{protocol.VersionTLS}
 		clientConfig = &quic.Config{Versions: []protocol.VersionNumber{protocol.VersionTLS}}
-		clientTLSConfig = &tls.Config{
+		clientConfig := getTLSClientConfig()
-			InsecureSkipVerify: true,
+		clientConfig.InsecureSkipVerify = true
 			ServerName:         "localhost",
 		}
 	})
 	// 1 RTT for verifying the source address
@ -105,8 +106,8 @@ var _ = Describe("Handshake RTT tests", func() {
 	It("is forward-secure after 2 RTTs", func() {
 		runServerAndProxy()
 		_, err := quic.DialAddr(
-			proxy.LocalAddr().String(),
+			fmt.Sprintf("localhost:%d", proxy.LocalAddr().(*net.UDPAddr).Port),
-			clientTLSConfig,
+			getTLSClientConfig(),
 			clientConfig,
 		)
 		Expect(err).ToNot(HaveOccurred())
@ -119,8 +120,8 @@ var _ = Describe("Handshake RTT tests", func() {
 		}
 		runServerAndProxy()
 		_, err := quic.DialAddr(
-			proxy.LocalAddr().String(),
+			fmt.Sprintf("localhost:%d", proxy.LocalAddr().(*net.UDPAddr).Port),
-			clientTLSConfig,
+			getTLSClientConfig(),
 			clientConfig,
 		)
 		Expect(err).ToNot(HaveOccurred())
@ -134,8 +135,8 @@ var _ = Describe("Handshake RTT tests", func() {
 		serverTLSConfig.CurvePreferences = []tls.CurveID{tls.CurveP384}
 		runServerAndProxy()
 		_, err := quic.DialAddr(
-			proxy.LocalAddr().String(),
+			fmt.Sprintf("localhost:%d", proxy.LocalAddr().(*net.UDPAddr).Port),
-			clientTLSConfig,
+			getTLSClientConfig(),
 			clientConfig,
 		)
 		Expect(err).ToNot(HaveOccurred())
@ -149,8 +150,8 @@ var _ = Describe("Handshake RTT tests", func() {
 		clientConfig.HandshakeTimeout = 500 * time.Millisecond
 		runServerAndProxy()
 		_, err := quic.DialAddr(
-			proxy.LocalAddr().String(),
+			fmt.Sprintf("localhost:%d", proxy.LocalAddr().(*net.UDPAddr).Port),
-			clientTLSConfig,
+			getTLSClientConfig(),
 			clientConfig,
 		)
 		Expect(err).To(HaveOccurred())
--- a/integrationtests/self/handshake_test.go
+++ b/integrationtests/self/handshake_test.go
@ -10,7 +10,6 @@ import (
 	"github.com/lucas-clemente/quic-go/integrationtests/tools/israce"
 	"github.com/lucas-clemente/quic-go/internal/protocol"
 	"github.com/lucas-clemente/quic-go/internal/qerr"
 	"github.com/lucas-clemente/quic-go/internal/testdata"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 )
@ -31,7 +30,7 @@ var _ = Describe("Handshake tests", func() {
 		server = nil
 		acceptStopped = make(chan struct{})
 		serverConfig = &quic.Config{}
-		tlsServerConf = testdata.GetTLSConfig()
+		tlsServerConf = getTLSConfig()
 	})
 	AfterEach(func() {
@ -78,7 +77,11 @@ var _ = Describe("Handshake tests", func() {
 				serverConfig.Versions = []protocol.VersionNumber{7, 8, protocol.SupportedVersions[0], 9}
 				server := runServer()
 				defer server.Close()
-				sess, err := quic.DialAddr(server.Addr().String(), &tls.Config{InsecureSkipVerify: true}, nil)
+				sess, err := quic.DialAddr(
 					fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
 					getTLSClientConfig(),
 					nil,
 				)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(sess.(versioner).GetVersion()).To(Equal(protocol.SupportedVersions[0]))
 				Expect(sess.Close()).To(Succeed())
@ -93,7 +96,11 @@ var _ = Describe("Handshake tests", func() {
 				conf := &quic.Config{
 					Versions: []protocol.VersionNumber{7, 8, 9, protocol.SupportedVersions[0], 10},
 				}
-				sess, err := quic.DialAddr(server.Addr().String(), &tls.Config{InsecureSkipVerify: true}, conf)
+				sess, err := quic.DialAddr(
 					fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
 					getTLSClientConfig(),
 					conf,
 				)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(sess.(versioner).GetVersion()).To(Equal(protocol.SupportedVersions[0]))
 				Expect(sess.Close()).To(Succeed())
@ -106,14 +113,10 @@ var _ = Describe("Handshake tests", func() {
 			version := v
 			Context(fmt.Sprintf("using %s", version), func() {
-				var (
+				var clientConfig *quic.Config
 					tlsConf      *tls.Config
 					clientConfig *quic.Config
 				)
 				BeforeEach(func() {
 					serverConfig.Versions = []protocol.VersionNumber{version}
 					tlsConf = &tls.Config{RootCAs: testdata.GetRootCA()}
 					clientConfig = &quic.Config{
 						Versions: []protocol.VersionNumber{version},
 					}
@ -126,7 +129,7 @@ var _ = Describe("Handshake tests", func() {
 				It("accepts the certificate", func() {
 					_, err := quic.DialAddr(
 						fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
-						tlsConf,
+						getTLSClientConfig(),
 						clientConfig,
 					)
 					Expect(err).ToNot(HaveOccurred())
@ -135,7 +138,7 @@ var _ = Describe("Handshake tests", func() {
 				It("errors if the server name doesn't match", func() {
 					_, err := quic.DialAddr(
 						fmt.Sprintf("127.0.0.1:%d", server.Addr().(*net.UDPAddr).Port),
-						tlsConf,
+						getTLSClientConfig(),
 						clientConfig,
 					)
 					Expect(err).To(MatchError("CRYPTO_ERROR: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs"))
@ -145,7 +148,7 @@ var _ = Describe("Handshake tests", func() {
 					tlsServerConf.ClientAuth = tls.RequireAndVerifyClientCert
 					sess, err := quic.DialAddr(
 						fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
-						tlsConf,
+						getTLSClientConfig(),
 						clientConfig,
 					)
 					// Usually, the error will occur after the client already finished the handshake.
@ -164,6 +167,7 @@ var _ = Describe("Handshake tests", func() {
 				})
 				It("uses the ServerName in the tls.Config", func() {
 					tlsConf := getTLSClientConfig()
 					tlsConf.ServerName = "localhost"
 					_, err := quic.DialAddr(
 						fmt.Sprintf("127.0.0.1:%d", server.Addr().(*net.UDPAddr).Port),
@ -190,7 +194,7 @@ var _ = Describe("Handshake tests", func() {
 				pconn,
 				raddr,
 				remoteAddr,
-				&tls.Config{RootCAs: testdata.GetRootCA()},
+				getTLSClientConfig(),
 				nil,
 			)
 		}
@ -204,7 +208,7 @@ var _ = Describe("Handshake tests", func() {
 			}
 			var err error
 			// start the server, but don't call Accept
-			server, err = quic.ListenAddr("localhost:0", testdata.GetTLSConfig(), serverConfig)
+			server, err = quic.ListenAddr("localhost:0", getTLSConfig(), serverConfig)
 			Expect(err).ToNot(HaveOccurred())
 			// prepare a (single) packet conn for dialing to the server
--- a/integrationtests/self/multiplex_test.go
+++ b/integrationtests/self/multiplex_test.go
@ -1,7 +1,6 @@
 package self_test
 import (
 	"crypto/tls"
 	"fmt"
 	"io/ioutil"
 	"net"
@ -12,7 +11,6 @@ import (
 	"github.com/lucas-clemente/quic-go/integrationtests/tools/testlog"
 	"github.com/lucas-clemente/quic-go/integrationtests/tools/testserver"
 	"github.com/lucas-clemente/quic-go/internal/protocol"
 	"github.com/lucas-clemente/quic-go/internal/testdata"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@ -48,7 +46,7 @@ var _ = Describe("Multiplexing", func() {
 					conn,
 					addr,
 					fmt.Sprintf("localhost:%d", addr.(*net.UDPAddr).Port),
-					&tls.Config{RootCAs: testdata.GetRootCA()},
+					getTLSClientConfig(),
 					&quic.Config{Versions: []protocol.VersionNumber{version}},
 				)
 				Expect(err).ToNot(HaveOccurred())
@ -63,7 +61,7 @@ var _ = Describe("Multiplexing", func() {
 				getListener := func() quic.Listener {
 					ln, err := quic.ListenAddr(
 						"localhost:0",
-						testdata.GetTLSConfig(),
+						getTLSConfig(),
 						&quic.Config{Versions: []protocol.VersionNumber{version}},
 					)
 					Expect(err).ToNot(HaveOccurred())
@ -146,7 +144,7 @@ var _ = Describe("Multiplexing", func() {
 					server, err := quic.Listen(
 						conn,
-						testdata.GetTLSConfig(),
+						getTLSConfig(),
 						&quic.Config{Versions: []protocol.VersionNumber{version}},
 					)
 					Expect(err).ToNot(HaveOccurred())
@ -182,7 +180,7 @@ var _ = Describe("Multiplexing", func() {
 					server1, err := quic.Listen(
 						conn1,
-						testdata.GetTLSConfig(),
+						getTLSConfig(),
 						&quic.Config{Versions: []protocol.VersionNumber{version}},
 					)
 					Expect(err).ToNot(HaveOccurred())
@ -191,7 +189,7 @@ var _ = Describe("Multiplexing", func() {
 					server2, err := quic.Listen(
 						conn2,
-						testdata.GetTLSConfig(),
+						getTLSConfig(),
 						&quic.Config{Versions: []protocol.VersionNumber{version}},
 					)
 					Expect(err).ToNot(HaveOccurred())
--- a/integrationtests/self/resumption_test.go
+++ b/integrationtests/self/resumption_test.go
@ -7,7 +7,6 @@ import (
 	"sync"
 	quic "github.com/lucas-clemente/quic-go"
 	"github.com/lucas-clemente/quic-go/internal/testdata"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@ -48,7 +47,7 @@ func (c *clientSessionCache) Put(sessionKey string, cs *tls.ClientSessionState)
 var _ = Describe("TLS session resumption", func() {
 	It("uses session resumption", func() {
-		server, err := quic.ListenAddr("localhost:0", testdata.GetTLSConfig(), nil)
+		server, err := quic.ListenAddr("localhost:0", getTLSConfig(), nil)
 		Expect(err).ToNot(HaveOccurred())
 		defer server.Close()
@ -68,10 +67,8 @@ var _ = Describe("TLS session resumption", func() {
 		gets := make(chan string, 100)
 		puts := make(chan string, 100)
 		cache := newClientSessionCache(gets, puts)
-		tlsConf := &tls.Config{
+		tlsConf := getTLSClientConfig()
-			RootCAs:            testdata.GetRootCA(),
+		tlsConf.ClientSessionCache = cache
 			ClientSessionCache: cache,
 		}
 		sess, err := quic.DialAddr(
 			fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
 			tlsConf,
--- a/integrationtests/self/rtt_test.go
+++ b/integrationtests/self/rtt_test.go
@ -1,7 +1,6 @@
 package self_test
 import (
 	"crypto/tls"
 	"fmt"
 	"io/ioutil"
 	"net"
@ -11,7 +10,6 @@ import (
 	quicproxy "github.com/lucas-clemente/quic-go/integrationtests/tools/proxy"
 	"github.com/lucas-clemente/quic-go/integrationtests/tools/testserver"
 	"github.com/lucas-clemente/quic-go/internal/protocol"
 	"github.com/lucas-clemente/quic-go/internal/testdata"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@ -35,7 +33,7 @@ var _ = Describe("non-zero RTT", func() {
 				It(fmt.Sprintf("downloads a message with %s RTT", rtt), func() {
 					ln, err := quic.ListenAddr(
 						"localhost:0",
-						testdata.GetTLSConfig(),
+						getTLSConfig(),
 						&quic.Config{
 							Versions: []protocol.VersionNumber{version},
 						},
@ -65,7 +63,7 @@ var _ = Describe("non-zero RTT", func() {
 					sess, err := quic.DialAddr(
 						fmt.Sprintf("localhost:%d", proxy.LocalPort()),
-						&tls.Config{RootCAs: testdata.GetRootCA()},
+						getTLSClientConfig(),
 						&quic.Config{Versions: []protocol.VersionNumber{version}},
 					)
 					Expect(err).ToNot(HaveOccurred())
--- a/integrationtests/self/self_suite_test.go
+++ b/integrationtests/self/self_suite_test.go
@ -1,6 +1,7 @@
 package self_test
 import (
 	"crypto/tls"
 	"math/rand"
 	"testing"
@ -8,8 +9,24 @@ import (
 	. "github.com/onsi/gomega"
 	_ "github.com/lucas-clemente/quic-go/integrationtests/tools/testlog"
 	"github.com/lucas-clemente/quic-go/internal/testdata"
 )
 const alpn = "quic-go integration tests"
 func getTLSConfig() *tls.Config {
 	conf := testdata.GetTLSConfig()
 	conf.NextProtos = []string{alpn}
 	return conf
 }
 func getTLSClientConfig() *tls.Config {
 	return &tls.Config{
 		RootCAs:    testdata.GetRootCA(),
 		NextProtos: []string{alpn},
 	}
 }
 func TestSelf(t *testing.T) {
 	RegisterFailHandler(Fail)
 	RunSpecs(t, "Self integration tests")
--- a/integrationtests/self/stateless_reset_test.go
+++ b/integrationtests/self/stateless_reset_test.go
@ -1,7 +1,6 @@
-package self
+package self_test
 import (
 	"crypto/tls"
 	"fmt"
 	"math/rand"
 	"net"
@ -9,8 +8,8 @@ import (
 	quic "github.com/lucas-clemente/quic-go"
 	quicproxy "github.com/lucas-clemente/quic-go/integrationtests/tools/proxy"
 	"github.com/lucas-clemente/quic-go/internal/testdata"
 	"github.com/lucas-clemente/quic-go/internal/utils"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 )
@ -26,7 +25,7 @@ var _ = Describe("Stateless Resets", func() {
 			rand.Read(statelessResetKey)
 			serverConfig := &quic.Config{StatelessResetKey: statelessResetKey}
-			ln, err := quic.ListenAddr("localhost:0", testdata.GetTLSConfig(), serverConfig)
+			ln, err := quic.ListenAddr("localhost:0", getTLSConfig(), serverConfig)
 			Expect(err).ToNot(HaveOccurred())
 			serverPort := ln.Addr().(*net.UDPAddr).Port
@ -57,7 +56,7 @@ var _ = Describe("Stateless Resets", func() {
 			sess, err := quic.DialAddr(
 				fmt.Sprintf("localhost:%d", proxy.LocalPort()),
-				&tls.Config{RootCAs: testdata.GetRootCA()},
+				getTLSClientConfig(),
 				&quic.Config{
 					ConnectionIDLength: connIDLen,
 					IdleTimeout:        2 * time.Second,
@ -78,7 +77,7 @@ var _ = Describe("Stateless Resets", func() {
 			ln2, err := quic.ListenAddr(
 				fmt.Sprintf("localhost:%d", serverPort),
-				testdata.GetTLSConfig(),
+				getTLSConfig(),
 				serverConfig,
 			)
 			Expect(err).ToNot(HaveOccurred())
--- a/integrationtests/self/stream_test.go
+++ b/integrationtests/self/stream_test.go
@ -1,7 +1,6 @@
 package self_test
 import (
 	"crypto/tls"
 	"fmt"
 	"io/ioutil"
 	"net"
@ -10,7 +9,6 @@ import (
 	quic "github.com/lucas-clemente/quic-go"
 	"github.com/lucas-clemente/quic-go/integrationtests/tools/testserver"
 	"github.com/lucas-clemente/quic-go/internal/protocol"
 	"github.com/lucas-clemente/quic-go/internal/testdata"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@ -35,7 +33,7 @@ var _ = Describe("Bidirectional streams", func() {
 					Versions:           []protocol.VersionNumber{version},
 					MaxIncomingStreams: 0,
 				}
-				server, err = quic.ListenAddr("localhost:0", testdata.GetTLSConfig(), qconf)
+				server, err = quic.ListenAddr("localhost:0", getTLSConfig(), qconf)
 				Expect(err).ToNot(HaveOccurred())
 				serverAddr = fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port)
 			})
@ -101,7 +99,7 @@ var _ = Describe("Bidirectional streams", func() {
 				client, err := quic.DialAddr(
 					serverAddr,
-					&tls.Config{RootCAs: testdata.GetRootCA()},
+					getTLSClientConfig(),
 					qconf,
 				)
 				Expect(err).ToNot(HaveOccurred())
@ -119,7 +117,7 @@ var _ = Describe("Bidirectional streams", func() {
 				client, err := quic.DialAddr(
 					serverAddr,
-					&tls.Config{RootCAs: testdata.GetRootCA()},
+					getTLSClientConfig(),
 					qconf,
 				)
 				Expect(err).ToNot(HaveOccurred())
@ -146,7 +144,7 @@ var _ = Describe("Bidirectional streams", func() {
 				client, err := quic.DialAddr(
 					serverAddr,
-					&tls.Config{RootCAs: testdata.GetRootCA()},
+					getTLSClientConfig(),
 					qconf,
 				)
 				Expect(err).ToNot(HaveOccurred())
--- a/integrationtests/self/timeout_test.go
+++ b/integrationtests/self/timeout_test.go
@ -2,7 +2,6 @@ package self_test
 import (
 	"context"
 	"crypto/tls"
 	"fmt"
 	"net"
 	"os"
@ -11,7 +10,6 @@ import (
 	quic "github.com/lucas-clemente/quic-go"
 	quicproxy "github.com/lucas-clemente/quic-go/integrationtests/tools/proxy"
 	"github.com/lucas-clemente/quic-go/internal/testdata"
 	"github.com/lucas-clemente/quic-go/internal/utils"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@ -30,7 +28,7 @@ var _ = Describe("Timeout tests", func() {
 		go func() {
 			_, err := quic.DialAddr(
 				"localhost:12345",
-				&tls.Config{RootCAs: testdata.GetRootCA()},
+				getTLSClientConfig(),
 				&quic.Config{HandshakeTimeout: 10 * time.Millisecond},
 			)
 			errChan <- err
@ -48,7 +46,7 @@ var _ = Describe("Timeout tests", func() {
 			_, err := quic.DialAddrContext(
 				ctx,
 				"localhost:12345",
-				&tls.Config{RootCAs: testdata.GetRootCA()},
+				getTLSClientConfig(),
 				nil,
 			)
 			errChan <- err
@ -64,7 +62,7 @@ var _ = Describe("Timeout tests", func() {
 		server, err := quic.ListenAddr(
 			"localhost:0",
-			testdata.GetTLSConfig(),
+			getTLSConfig(),
 			nil,
 		)
 		Expect(err).ToNot(HaveOccurred())
@ -93,7 +91,7 @@ var _ = Describe("Timeout tests", func() {
 		sess, err := quic.DialAddr(
 			fmt.Sprintf("localhost:%d", proxy.LocalPort()),
-			&tls.Config{RootCAs: testdata.GetRootCA()},
+			getTLSClientConfig(),
 			&quic.Config{IdleTimeout: idleTimeout},
 		)
 		Expect(err).ToNot(HaveOccurred())
@ -141,7 +139,7 @@ var _ = Describe("Timeout tests", func() {
 		})
 		It("times out after inactivity", func() {
-			server, err := quic.ListenAddr("localhost:0", testdata.GetTLSConfig(), nil)
+			server, err := quic.ListenAddr("localhost:0", getTLSConfig(), nil)
 			Expect(err).ToNot(HaveOccurred())
 			defer server.Close()
@ -156,7 +154,7 @@ var _ = Describe("Timeout tests", func() {
 			sess, err := quic.DialAddr(
 				fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
-				&tls.Config{RootCAs: testdata.GetRootCA()},
+				getTLSClientConfig(),
 				&quic.Config{IdleTimeout: idleTimeout},
 			)
 			Expect(err).ToNot(HaveOccurred())
@ -182,7 +180,7 @@ var _ = Describe("Timeout tests", func() {
 		})
 		It("times out after sending a packet", func() {
-			server, err := quic.ListenAddr("localhost:0", testdata.GetTLSConfig(), nil)
+			server, err := quic.ListenAddr("localhost:0", getTLSConfig(), nil)
 			Expect(err).ToNot(HaveOccurred())
 			defer server.Close()
@ -197,7 +195,7 @@ var _ = Describe("Timeout tests", func() {
 			sess, err := quic.DialAddr(
 				fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
-				&tls.Config{RootCAs: testdata.GetRootCA()},
+				getTLSClientConfig(),
 				&quic.Config{IdleTimeout: idleTimeout},
 			)
 			Expect(err).ToNot(HaveOccurred())
--- a/integrationtests/self/uni_stream_test.go
+++ b/integrationtests/self/uni_stream_test.go
@ -1,7 +1,6 @@
 package self_test
 import (
 	"crypto/tls"
 	"fmt"
 	"io/ioutil"
 	"net"
@ -10,7 +9,6 @@ import (
 	quic "github.com/lucas-clemente/quic-go"
 	"github.com/lucas-clemente/quic-go/integrationtests/tools/testserver"
 	"github.com/lucas-clemente/quic-go/internal/protocol"
 	"github.com/lucas-clemente/quic-go/internal/testdata"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@ -28,7 +26,7 @@ var _ = Describe("Unidirectional Streams", func() {
 	BeforeEach(func() {
 		var err error
 		qconf = &quic.Config{Versions: []protocol.VersionNumber{protocol.VersionTLS}}
-		server, err = quic.ListenAddr("localhost:0", testdata.GetTLSConfig(), qconf)
+		server, err = quic.ListenAddr("localhost:0", getTLSConfig(), qconf)
 		Expect(err).ToNot(HaveOccurred())
 		serverAddr = fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port)
 	})
@ -82,7 +80,7 @@ var _ = Describe("Unidirectional Streams", func() {
 		client, err := quic.DialAddr(
 			serverAddr,
-			&tls.Config{RootCAs: testdata.GetRootCA()},
+			getTLSClientConfig(),
 			qconf,
 		)
 		Expect(err).ToNot(HaveOccurred())
@ -100,7 +98,7 @@ var _ = Describe("Unidirectional Streams", func() {
 		client, err := quic.DialAddr(
 			serverAddr,
-			&tls.Config{RootCAs: testdata.GetRootCA()},
+			getTLSClientConfig(),
 			qconf,
 		)
 		Expect(err).ToNot(HaveOccurred())
@ -126,7 +124,7 @@ var _ = Describe("Unidirectional Streams", func() {
 		client, err := quic.DialAddr(
 			serverAddr,
-			&tls.Config{RootCAs: testdata.GetRootCA()},
+			getTLSClientConfig(),
 			qconf,
 		)
 		Expect(err).ToNot(HaveOccurred())
--- a/internal/handshake/crypto_setup_test.go
+++ b/internal/handshake/crypto_setup_test.go
@ -52,7 +52,7 @@ func (s *stream) Write(b []byte) (int, error) {
 }
 var _ = Describe("Crypto Setup TLS", func() {
-	var clientConf *tls.Config
+	var clientConf, serverConf *tls.Config
 	initStreams := func() (chan chunk, *stream /* initial */, *stream /* handshake */) {
 		chunkChan := make(chan chunk, 100)
@ -62,9 +62,12 @@ var _ = Describe("Crypto Setup TLS", func() {
 	}
 	BeforeEach(func() {
 		serverConf = testdata.GetTLSConfig()
 		serverConf.NextProtos = []string{"crypto-setup"}
 		clientConf = &tls.Config{
 			ServerName: "localhost",
 			RootCAs:    testdata.GetRootCA(),
 			NextProtos: []string{"crypto-setup"},
 		}
 	})
@ -196,7 +199,7 @@ var _ = Describe("Crypto Setup TLS", func() {
 			nil,
 			&TransportParameters{},
 			runner,
-			testdata.GetTLSConfig(),
+			serverConf,
 			utils.DefaultLogger.WithPrefix("server"),
 		)
 		Expect(err).ToNot(HaveOccurred())
@ -229,7 +232,7 @@ var _ = Describe("Crypto Setup TLS", func() {
 			nil,
 			&TransportParameters{},
 			NewMockHandshakeRunner(mockCtrl),
-			testdata.GetTLSConfig(),
+			serverConf,
 			utils.DefaultLogger.WithPrefix("server"),
 		)
 		Expect(err).ToNot(HaveOccurred())
@ -349,14 +352,12 @@ var _ = Describe("Crypto Setup TLS", func() {
 		}
 		It("handshakes", func() {
 			serverConf := testdata.GetTLSConfig()
 			clientErr, serverErr := handshakeWithTLSConf(clientConf, serverConf)
 			Expect(clientErr).ToNot(HaveOccurred())
 			Expect(serverErr).ToNot(HaveOccurred())
 		})
 		It("performs a HelloRetryRequst", func() {
 			serverConf := testdata.GetTLSConfig()
 			serverConf.CurvePreferences = []tls.CurveID{tls.CurveP384}
 			clientErr, serverErr := handshakeWithTLSConf(clientConf, serverConf)
 			Expect(clientErr).ToNot(HaveOccurred())
@ -365,7 +366,6 @@ var _ = Describe("Crypto Setup TLS", func() {
 		It("handshakes with client auth", func() {
 			clientConf.Certificates = []tls.Certificate{generateCert()}
 			serverConf := testdata.GetTLSConfig()
 			serverConf.ClientAuth = qtls.RequireAnyClientCert
 			clientErr, serverErr := handshakeWithTLSConf(clientConf, serverConf)
 			Expect(clientErr).ToNot(HaveOccurred())
@ -445,7 +445,7 @@ var _ = Describe("Crypto Setup TLS", func() {
 				nil,
 				sTransportParameters,
 				sRunner,
-				testdata.GetTLSConfig(),
+				serverConf,
 				utils.DefaultLogger.WithPrefix("server"),
 			)
 			Expect(err).ToNot(HaveOccurred())
@ -497,7 +497,7 @@ var _ = Describe("Crypto Setup TLS", func() {
 				nil,
 				&TransportParameters{},
 				sRunner,
-				testdata.GetTLSConfig(),
+				serverConf,
 				utils.DefaultLogger.WithPrefix("server"),
 			)
 			Expect(err).ToNot(HaveOccurred())
@ -552,7 +552,7 @@ var _ = Describe("Crypto Setup TLS", func() {
 				nil,
 				&TransportParameters{},
 				sRunner,
-				testdata.GetTLSConfig(),
+				serverConf,
 				utils.DefaultLogger.WithPrefix("server"),
 			)
 			Expect(err).ToNot(HaveOccurred())
--- a/internal/handshake/qtls.go
+++ b/internal/handshake/qtls.go
@ -110,6 +110,7 @@ func tlsConfigToQtlsConfig(
 		VerifyPeerCertificate:       c.VerifyPeerCertificate,
 		RootCAs:                     c.RootCAs,
 		NextProtos:                  c.NextProtos,
 		EnforceNextProtoSelection:   true,
 		ServerName:                  c.ServerName,
 		ClientAuth:                  c.ClientAuth,
 		ClientCAs:                   c.ClientCAs,