mirrors/utls
1
0
Fork 0
mirror of https://github.com/refraction-networking/utls.git synced 2025-04-03 03:57:36 +03:00
Code Issues Projects Releases Packages Wiki Activity
Fork of the Go standard TLS library, providing low-level access to the ClientHello for mimicry purposes.
409 commits 7 branches 42 tags 12 MiB
Find a file
Anit Gandhi e235c4cbe2 crypto/tls: improve client auth failure alerts 
This change makes it easier for clients to debug mutual TLS connection failures. Currently, there are a few situations where invalid client auth leads to a generic "bad certificate" alert. 3 specific situations have a more appropriate TLS alert code, based on the alert descriptions in the appendix of both RFC5246 and RFC8446.
  1. The server is configured to require client auth, but no client cert was provided; the appropriate alert is "certificate required". This applies only to TLS 1.3, which first defined the certificate_required alert code.
  2. The client provided a cert that was signed by an authority that is not in the server's trusted set of CAs; the appropriate alert is "unknown certificate authority".
  3. The client provided an expired (or not yet valid) cert; the appropriate alert is "expired certificate".
Otherwise, we still fall back to "bad certificate".

Fixes #52113

Change-Id: I7d5860fe911cad8a1615f16bfe488a37e936dc36
GitHub-Last-Rev: 34eeab587b38549b2ba4a778f7f9894e9b715b43
GitHub-Pull-Request: golang/go#53251
Reviewed-on: https://go-review.googlesource.com/c/go/+/410496
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
2023-01-20 16:19:42 +00:00
fipsonly [dev.boringcrypto] all: add boringcrypto build tags 2022-04-29 14:23:22 +00:00
testdata crypto/ecdsa: use bigmod and nistec instead of math/big and crypto/elliptic 2022-11-21 16:19:34 +00:00
alert.go crypto/tls: add missing alert values 2020-04-01 19:32:57 +00:00
auth.go [dev.boringcrypto] all: merge commit 9d0819b27c (CL 314609) into dev.boringcrypto 2021-05-13 12:59:22 -04:00
auth_test.go [dev.boringcrypto] all: merge master into dev.boringcrypto 2020-04-08 17:48:41 -04:00
boring.go [dev.boringcrypto] crypto/x509: remove VerifyOptions.IsBoring 2022-04-29 14:23:29 +00:00
boring_test.go crypto/x509: allow BoringCrypto to use 4096-bit keys 2022-11-09 14:47:58 +00:00
cache.go crypto/tls: fix typo in cacheEntry godoc 2023-01-05 19:33:00 +00:00
cache_test.go crypto/tls: add a certificate cache implementation 2022-11-07 19:46:27 +00:00
cipher_suites.go all: fix problematic comments 2022-11-11 19:12:52 +00:00
common.go crypto/tls: add CertificateVerificationError to tls handshake 2022-11-18 18:50:57 +00:00
common_string.go crypto/tls: add {SignatureScheme,CurveID,ClientAuthType}.String() 2020-03-11 20:02:18 +00:00
conn.go crypto/tls: use certificate cache in client 2022-11-07 19:47:10 +00:00
conn_test.go crypto/tls: select only compatible chains from Certificates 2019-11-12 01:08:57 +00:00
example_test.go crypto/tls: replace VerifyPeerCertificate example with VerifyConnection 2020-06-24 20:48:12 +00:00
generate_cert.go crypto/tls: delete unnecessary line of return 2022-08-08 15:22:02 +00:00
handshake_client.go crypto/tls: add CertificateVerificationError to tls handshake 2022-11-18 18:50:57 +00:00
handshake_client_test.go all: consistently use US spelling of present participles 2022-04-08 13:44:41 +00:00
handshake_client_tls13.go crypto/ecdh: move ECDH method to PrivateKey 2022-11-16 14:37:29 +00:00
handshake_messages.go crypto/tls: reject duplicate extensions 2022-04-21 16:18:13 +00:00
handshake_messages_test.go [dev.boringcrypto] all: merge master into dev.boringcrypto 2022-04-27 20:09:28 +02:00
handshake_server.go crypto/tls: improve client auth failure alerts 2023-01-20 16:19:42 +00:00
handshake_server_test.go crypto/tls: support ECDHE when ec_point_formats is missing 2022-08-25 16:35:38 +00:00
handshake_server_tls13.go crypto/ecdh: move ECDH method to PrivateKey 2022-11-16 14:37:29 +00:00
handshake_test.go crypto/tls: set default minimum client version to TLS 1.2 2021-11-05 22:03:24 +00:00
handshake_unix_test.go all: use new "unix" build tag where appropriate 2022-03-29 16:24:51 +00:00
key_agreement.go crypto/ecdh: move ECDH method to PrivateKey 2022-11-16 14:37:29 +00:00
key_schedule.go crypto: fix a few function names on comments 2022-09-29 22:56:49 +00:00
key_schedule_test.go crypto/tls: implement TLS 1.3 cryptographic computations 2018-11-02 21:54:52 +00:00
link_test.go all: use ":" for compiler generated symbols 2022-08-09 11:28:56 +00:00
notboring.go [dev.boringcrypto] crypto/x509: remove VerifyOptions.IsBoring 2022-04-29 14:23:29 +00:00
prf.go crypto/tls: remove unused hashForClientCertificate param 2022-08-14 00:26:03 +00:00
prf_test.go crypto/tls: remove SSLv3 support 2019-08-27 22:24:05 +00:00
ticket.go crypto/tls: remove version check when unmarshaling sessionState 2020-05-18 23:09:31 +00:00
tls.go crypto/tls: add HandshakeContext method to Conn 2021-03-16 14:05:45 +00:00
tls_test.go crypto/tls: make cipher suite preference ordering automatic 2021-05-08 05:15:48 +00:00