From 206f659ab4f705271c70788bf1d7f9d01710f299 Mon Sep 17 00:00:00 2001 From: adotkhan <61702862+adotkhan@users.noreply.github.com> Date: Tue, 16 Jul 2024 01:55:28 -0400 Subject: [PATCH] fix: Config.InsecureSkipTimeVerify did not skip peerCertificate expiry check (#303) Signed-off-by: adotkhan <61702862+adotkhan@users.noreply.github.com> Reviewed-by: Gaukas Wang --- handshake_client.go | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/handshake_client.go b/handshake_client.go index b142b4d6..390c8dfc 100644 --- a/handshake_client.go +++ b/handshake_client.go @@ -368,25 +368,21 @@ func (c *Conn) loadSession(hello *clientHelloMsg) ( // Check that the cached server certificate is not expired, and that it's // valid for the ServerName. This should be ensured by the cache key, but // protect the application from a faulty ClientSessionCache implementation. - if c.config.time().After(session.peerCertificates[0].NotAfter) { - // Expired certificate, delete the entry. - c.config.ClientSessionCache.Put(cacheKey, nil) - return nil, nil, nil, nil + // [UTLS SECTION START] + if !c.config.InsecureSkipTimeVerify { + if c.config.time().After(session.peerCertificates[0].NotAfter) { + // Expired certificate, delete the entry. + c.config.ClientSessionCache.Put(cacheKey, nil) + return nil, nil, nil, nil + } } + // [UTLS SECTION END] if !c.config.InsecureSkipVerify { if len(session.verifiedChains) == 0 { // The original connection had InsecureSkipVerify, while this doesn't. return nil, nil, nil, nil } - serverCert := session.peerCertificates[0] // [UTLS SECTION START] - if !c.config.InsecureSkipTimeVerify { - if c.config.time().After(serverCert.NotAfter) { - // Expired certificate, delete the entry. - c.config.ClientSessionCache.Put(cacheKey, nil) - return nil, nil, nil, nil - } - } var dnsName string if len(c.config.InsecureServerNameToVerify) == 0 { dnsName = c.config.ServerName @@ -394,7 +390,7 @@ func (c *Conn) loadSession(hello *clientHelloMsg) ( dnsName = c.config.InsecureServerNameToVerify } if len(dnsName) > 0 { - if err := serverCert.VerifyHostname(dnsName); err != nil { + if err := session.peerCertificates[0].VerifyHostname(dnsName); err != nil { return nil, nil, nil, nil } }