fix: Config.InsecureSkipTimeVerify did not skip peerCertificate expiry check (#303)

Signed-off-by: adotkhan <61702862+adotkhan@users.noreply.github.com>
Reviewed-by: Gaukas Wang <i@gaukas.wang>
This commit is contained in:
adotkhan 2024-07-16 01:55:28 -04:00 committed by GitHub
parent 925bfb39ab
commit 206f659ab4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -368,25 +368,21 @@ func (c *Conn) loadSession(hello *clientHelloMsg) (
// Check that the cached server certificate is not expired, and that it's
// valid for the ServerName. This should be ensured by the cache key, but
// protect the application from a faulty ClientSessionCache implementation.
if c.config.time().After(session.peerCertificates[0].NotAfter) {
// Expired certificate, delete the entry.
c.config.ClientSessionCache.Put(cacheKey, nil)
return nil, nil, nil, nil
// [UTLS SECTION START]
if !c.config.InsecureSkipTimeVerify {
if c.config.time().After(session.peerCertificates[0].NotAfter) {
// Expired certificate, delete the entry.
c.config.ClientSessionCache.Put(cacheKey, nil)
return nil, nil, nil, nil
}
}
// [UTLS SECTION END]
if !c.config.InsecureSkipVerify {
if len(session.verifiedChains) == 0 {
// The original connection had InsecureSkipVerify, while this doesn't.
return nil, nil, nil, nil
}
serverCert := session.peerCertificates[0]
// [UTLS SECTION START]
if !c.config.InsecureSkipTimeVerify {
if c.config.time().After(serverCert.NotAfter) {
// Expired certificate, delete the entry.
c.config.ClientSessionCache.Put(cacheKey, nil)
return nil, nil, nil, nil
}
}
var dnsName string
if len(c.config.InsecureServerNameToVerify) == 0 {
dnsName = c.config.ServerName
@ -394,7 +390,7 @@ func (c *Conn) loadSession(hello *clientHelloMsg) (
dnsName = c.config.InsecureServerNameToVerify
}
if len(dnsName) > 0 {
if err := serverCert.VerifyHostname(dnsName); err != nil {
if err := session.peerCertificates[0].VerifyHostname(dnsName); err != nil {
return nil, nil, nil, nil
}
}