delta/go-git.git/src/crypto/tls, branch dev.debug github.com: golang/go crypto/tls: pass argument to serverInit rather than using a field in Config. 2017-05-16T18:23:28+00:00 Adam Langley agl@golang.org 2017-04-28T20:37:52+00:00 46f4bfb2d17a3ccb4b3207d086a90cac3c00ea2f Updates #20164. Change-Id: Ib900095e7885f25cd779750674a712c770603ca8 Reviewed-on: https://go-review.googlesource.com/42137 Reviewed-by: Russ Cox <rsc@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> 
Updates #20164.

Change-Id: Ib900095e7885f25cd779750674a712c770603ca8
Reviewed-on: https://go-review.googlesource.com/42137
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
crypto/tls: recommend P256 elliptic curve 2017-04-10T17:40:01+00:00 Kevin Burke kev@inburke.com 2017-04-10T17:22:26+00:00 26c2926f648cafdbd09954495242a67eedb631b4 Users (like myself) may be tempted to think the higher-numbered curve is somehow better or more secure, but P256 is currently the best ECDSA implementation, due to its better support in TLS clients, and a constant time implementation. For example, sites that present a certificate signed with P521 currently fail to load in Chrome stable, and the error on the Go side says simply "remote error: tls: illegal parameter". Fixes #19901. Change-Id: Ia5e689e7027ec423624627420e33029c56f0bd82 Reviewed-on: https://go-review.googlesource.com/40211 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> 
Users (like myself) may be tempted to think the higher-numbered curve
is somehow better or more secure, but P256 is currently the best
ECDSA implementation, due to its better support in TLS clients, and a
constant time implementation.

For example, sites that present a certificate signed with P521
currently fail to load in Chrome stable, and the error on the Go side
says simply "remote error: tls: illegal parameter".

Fixes #19901.

Change-Id: Ia5e689e7027ec423624627420e33029c56f0bd82
Reviewed-on: https://go-review.googlesource.com/40211
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
crypto/tls: make Config.Clone also clone the GetClientCertificate field 2017-03-02T19:43:07+00:00 Mike Danese mikedanese@google.com 2017-03-01T18:43:57+00:00 87649d32ad16a9a0b7bd5dbd1c124b2032a270f1 Using GetClientCertificate with the http client is currently completely broken because inside the transport we clone the tls.Config and pass it off to the tls.Client. Since tls.Config.Clone() does not pass forward the GetClientCertificate field, GetClientCertificate is ignored in this context. Fixes #19264 Change-Id: Ie214f9f0039ac7c3a2dab8ffd14d30668bdb4c71 Signed-off-by: Mike Danese <mikedanese@google.com> Reviewed-on: https://go-review.googlesource.com/37541 Reviewed-by: Filippo Valsorda <hi@filippo.io> Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> 
Using GetClientCertificate with the http client is currently completely
broken because inside the transport we clone the tls.Config and pass it
off to the tls.Client. Since tls.Config.Clone() does not pass forward
the GetClientCertificate field, GetClientCertificate is ignored in this
context.

Fixes #19264

Change-Id: Ie214f9f0039ac7c3a2dab8ffd14d30668bdb4c71
Signed-off-by: Mike Danese <mikedanese@google.com>
Reviewed-on: https://go-review.googlesource.com/37541
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
crypto/tls: use io.ReadFull in conn_test.go 2017-02-24T02:36:10+00:00 Joe Tsai joetsai@digital-static.net 2017-02-24T01:41:31+00:00 ea5529de155cfd3f2c31698344b1ca001e0f8819 An io.Reader does not guarantee that it will read in the entire buffer. To ensure that property, io.ReadFull should be used instead. Change-Id: I0b863135ab9abc40e813f9dac07bfb2a76199950 Reviewed-on: https://go-review.googlesource.com/37403 Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com> Run-TryBot: Mikio Hara <mikioh.mikioh@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> 
An io.Reader does not guarantee that it will read in the entire buffer.
To ensure that property, io.ReadFull should be used instead.

Change-Id: I0b863135ab9abc40e813f9dac07bfb2a76199950
Reviewed-on: https://go-review.googlesource.com/37403
Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com>
Run-TryBot: Mikio Hara <mikioh.mikioh@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
crypto/tls: don't hold lock when closing underlying net.Conn. 2017-02-09T19:02:55+00:00 Adam Langley agl@golang.org 2017-02-08T18:06:34+00:00 f02dda50e8b4e268987d269e22b6d7410a52587b There's no need to hold the handshake lock across this call and it can lead to deadlocks if the net.Conn calls back into the tls.Conn. Fixes #18426. Change-Id: Ib1b2813cce385949d970f8ad2e52cfbd1390e624 Reviewed-on: https://go-review.googlesource.com/36561 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> 
There's no need to hold the handshake lock across this call and it can
lead to deadlocks if the net.Conn calls back into the tls.Conn.

Fixes #18426.

Change-Id: Ib1b2813cce385949d970f8ad2e52cfbd1390e624
Reviewed-on: https://go-review.googlesource.com/36561
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
crypto/tls: fix link to more info about channel bindings 2017-02-08T19:57:15+00:00 Максим Федосеев max.faceless.frei@gmail.com 2017-01-30T12:11:01+00:00 7bd968fbfdfd943d8bfc3f6f48b47c5fe990f9ba Link in the description of TLSUnique field of ConnectionState struct leads to an article that is no longer available, so this commit replaces it with link to a copy of the very same article on another site. Fixes #18842. Change-Id: I8f8d298c4774dc0fbbad5042db0684bb3220aee8 Reviewed-on: https://go-review.googlesource.com/36052 Reviewed-by: Filippo Valsorda <hi@filippo.io> Reviewed-by: Adam Langley <agl@golang.org> 
Link in the description of TLSUnique field of ConnectionState struct
leads to an article that is no longer available, so this commit
replaces it with link to a copy of the very same article on another
site.

Fixes #18842.

Change-Id: I8f8d298c4774dc0fbbad5042db0684bb3220aee8
Reviewed-on: https://go-review.googlesource.com/36052
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Reviewed-by: Adam Langley <agl@golang.org>
crypto/tls: document that only tickets are supported. 2017-02-08T17:54:06+00:00 Adam Langley agl@golang.org 2017-02-08T17:47:34+00:00 0c9325e13d5d9e2ab7459522e3556f6f44cbcb10 This change clarifies that only ticket-based resumption is supported by crypto/tls. It's not clear where to document this for a server, although perhaps it's obvious there because there's nowhere to plug in the storage that would be needed by SessionID-based resumption. Fixes #18607 Change-Id: Iaaed53e8d8f2f45c2f24c0683052df4be6340922 Reviewed-on: https://go-review.googlesource.com/36560 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> 
This change clarifies that only ticket-based resumption is supported by
crypto/tls. It's not clear where to document this for a server,
although perhaps it's obvious there because there's nowhere to plug in
the storage that would be needed by SessionID-based resumption.

Fixes #18607

Change-Id: Iaaed53e8d8f2f45c2f24c0683052df4be6340922
Reviewed-on: https://go-review.googlesource.com/36560
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
cmd/link, crypto/tls: don't use append loops 2017-02-07T16:42:32+00:00 Daniel Martí mvdan@mvdan.cc 2017-02-06T11:03:58+00:00 99df7c9caa19d99747c4766be171c9487c9645cf Change-Id: Ib47e295e8646b769c30fd81e5c7f20f964df163e Reviewed-on: https://go-review.googlesource.com/36335 Reviewed-by: Filippo Valsorda <hi@filippo.io> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> 
Change-Id: Ib47e295e8646b769c30fd81e5c7f20f964df163e
Reviewed-on: https://go-review.googlesource.com/36335
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
crypto/tls: reject SNI values with a trailing dot. 2017-02-01T21:59:57+00:00 Adam Langley agl@golang.org 2016-12-05T18:24:30+00:00 3f45916433c7e868c75b7a23c9288f8c67447acc SNI values may not include a trailing dot according to https://tools.ietf.org/html/rfc6066#section-3. Although crypto/tls handled this correctly as a client, it didn't reject this as a server. This change makes sending an SNI value with a trailing dot a fatal error. Updates #18114. Change-Id: Ib7897ab40e98d4a7a4646ff8469a55233621f631 Reviewed-on: https://go-review.googlesource.com/33904 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> 
SNI values may not include a trailing dot according to
https://tools.ietf.org/html/rfc6066#section-3. Although crypto/tls
handled this correctly as a client, it didn't reject this as a server.

This change makes sending an SNI value with a trailing dot a fatal
error.

Updates #18114.

Change-Id: Ib7897ab40e98d4a7a4646ff8469a55233621f631
Reviewed-on: https://go-review.googlesource.com/33904
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
crypto/tls: document ConnectionState.NegotiatedProtocol more clearly 2017-02-01T21:48:27+00:00 Anmol Sethi anmol@aubble.com 2017-01-29T08:18:17+00:00 c67f0d949941279681b53b585eb967326811a93b ConnectionState.NegotiatedProtocol's documentation implies that it will always be from Config.NextProtos. This commit clarifies that there is no guarantee. This commit also adds a note to ConnectionState.NegotiatedProtocolIsMutual, making it clear that it is client side only. Fixes #18841 Change-Id: Icd028af8042f31e45575f1080c5e9bd3012e03d7 Reviewed-on: https://go-review.googlesource.com/35917 Reviewed-by: Filippo Valsorda <hi@filippo.io> Reviewed-by: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> 
ConnectionState.NegotiatedProtocol's documentation implies that it will
always be from Config.NextProtos. This commit clarifies that there is no
guarantee.

This commit also adds a note to
ConnectionState.NegotiatedProtocolIsMutual, making it clear that it is
client side only.

Fixes #18841

Change-Id: Icd028af8042f31e45575f1080c5e9bd3012e03d7
Reviewed-on: https://go-review.googlesource.com/35917
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>