crypto/tls: rotate session keys in older TLS versions

Also encode the certificates in a way that's more consistent with TLS 1.3 (with a 24 byte length prefix). Note that this will have an additional performance cost requiring clients to do a full handshake every 7 days where previously they were able to use the same ticket indefinitely. Updates #25256 Change-Id: Ic4d1ba0d92773c490b33b5f6c1320d557cc7347d Reviewed-on: https://go-review.googlesource.com/c/go/+/231317 Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
2025-04-03 20:17:36 +03:00 · 2020-04-30 20:11:55 -04:00 · 2020-04-30 20:11:55 -04:00 · 451074ba19
commit 451074ba19
parent 5c59a6c577
11 changed files with 408 additions and 393 deletions
--- a/handshake_client_test.go
+++ b/handshake_client_test.go
@ -952,6 +952,18 @@ func testResumption(t *testing.T, version uint16) {
 	}
 	testResumeState("KeyChangeFinish", true)

+	// Age the session ticket a bit, but not yet expired.
+	serverConfig.Time = func() time.Time { return time.Now().Add(24*time.Hour + time.Minute) }
+	testResumeState("OldSessionTicket", true)
+	ticket = getTicket()
+	// Expire the session ticket, which would force a full handshake.
+	serverConfig.Time = func() time.Time { return time.Now().Add(24*8*time.Hour + time.Minute) }
+	testResumeState("ExpiredSessionTicket", false)
+	if bytes.Equal(ticket, getTicket()) {
+		t.Fatal("new ticket wasn't provided after old ticket expired")
+	}
+	testResumeState("FreshSessionTicket", true)
+
 	// Reset serverConfig to ensure that calling SetSessionTicketKeys
 	// before the serverConfig is used works.
 	serverConfig = &Config{