• Adam Langley's avatar
    crypto/tls: allow renegotiation to be handled by a client. · af125a51
    Adam Langley authored
    This change adds Config.Renegotiation which controls whether a TLS
    client will accept renegotiation requests from a server. This is used,
    for example, by some web servers that wish to “add” a client certificate
    to an HTTPS connection.
    
    This is disabled by default because it significantly complicates the
    state machine.
    
    Originally, handshakeMutex was taken before locking either Conn.in or
    Conn.out. However, if renegotiation is permitted then a handshake may
    be triggered during a Read() call. If Conn.in were unlocked before
    taking handshakeMutex then a concurrent Read() call could see an
    intermediate state and trigger an error. Thus handshakeMutex is now
    locked after Conn.in and the handshake functions assume that Conn.in is
    locked for the duration of the handshake.
    
    Additionally, handshakeMutex used to protect Conn.out also. With the
    possibility of renegotiation that's no longer viable and so
    writeRecordLocked has been split off.
    
    Fixes #5742.
    
    Change-Id: I935914db1f185d507ff39bba8274c148d756a1c8
    Reviewed-on: https://go-review.googlesource.com/22475
    Run-TryBot: Adam Langley <agl@golang.org>
    TryBot-Result: Gobot Gobot <gobot@golang.org>
    Reviewed-by: default avatarRuss Cox <rsc@golang.org>
    af125a51
Client-TLSv12-RenegotiationRejected 7.1 KB