]> Cypherpunks repositories - gostls13.git/commit
[release-branch.go1.25] crypto/tls: add verifiedChains expiration checking during...
authorRoland Shoemaker <roland@golang.org>
Mon, 26 Jan 2026 18:55:32 +0000 (10:55 -0800)
committerGopher Robot <gobot@golang.org>
Wed, 28 Jan 2026 22:03:25 +0000 (14:03 -0800)
commitc2d04c09949c689cba848cdb71abe6ad039b22c5
tree643fa0ed8114f658f3c98e2d450e33bc8cd87982
parent6b1110a40f41e1f8bb092e2e5a50b17c58777079
[release-branch.go1.25] crypto/tls: add verifiedChains expiration checking during resumption

When resuming a session, check that the verifiedChains contain at least
one chain that is still valid at the time of resumption. If not, trigger
a new handshake.

Updates #77113
Updates #77356
Updates CVE-2025-68121

Change-Id: I14f585c43da17802513cbdd5b10c552d7a38b34e
Reviewed-on: https://go-review.googlesource.com/c/go/+/739321
Reviewed-by: Coia Prant <coiaprant@gmail.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/740064
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Nicholas Husin <nsh@golang.org>
src/crypto/tls/common.go
src/crypto/tls/handshake_client.go
src/crypto/tls/handshake_server.go
src/crypto/tls/handshake_server_test.go
src/crypto/tls/handshake_server_tls13.go