release-request-957cd691-fb71-4770-8ff7-a3b9602655a5-for-git_oc-mr1-release-4314464 snap-temp-L54400000099147910
Change-Id: I457f6e087fc7ddd618e28ddf9f4e88bfe5d11f43
diff --git a/src/PORTING.md b/src/PORTING.md
index b9d6752..9f9fda0 100644
--- a/src/PORTING.md
+++ b/src/PORTING.md
@@ -128,6 +128,17 @@
* If a HelloRequest is received while `SSL_write` has unsent application data,
the renegotiation is rejected.
+* Renegotiation does not participate in session resumption. The client will
+ not offer a session on renegotiation or resume any session established by a
+ renegotiation handshake.
+
+* The server may not change its certificate in the renegotiation. This mitigates
+ the [triple handshake attack](https://mitls.org/pages/attacks/3SHAKE). Any new
+ stapled OCSP response and SCT list will be ignored. As no authentication state
+ may change, BoringSSL will not re-verify the certificate on a renegotiation.
+ Callbacks such as `SSL_CTX_set_custom_verify` will only run on the initial
+ handshake.
+
### Lowercase hexadecimal
BoringSSL's `BN_bn2hex` function uses lowercase hexadecimal digits instead of
diff --git a/src/ssl/handshake_client.cc b/src/ssl/handshake_client.cc
index 9efbf0a..0519bed 100644
--- a/src/ssl/handshake_client.cc
+++ b/src/ssl/handshake_client.cc
@@ -503,7 +503,10 @@
ret = -1;
goto end;
}
- ssl->s3->established_session->not_resumable = 0;
+ /* Renegotiations do not participate in session resumption. */
+ if (!ssl->s3->initial_handshake_complete) {
+ ssl->s3->established_session->not_resumable = 0;
+ }
SSL_SESSION_free(hs->new_session);
hs->new_session = NULL;
@@ -513,12 +516,8 @@
break;
case SSL_ST_OK: {
- const int is_initial_handshake = !ssl->s3->initial_handshake_complete;
ssl->s3->initial_handshake_complete = 1;
- if (is_initial_handshake) {
- /* Renegotiations do not participate in session resumption. */
- ssl_update_cache(hs, SSL_SESS_CACHE_CLIENT);
- }
+ ssl_update_cache(hs, SSL_SESS_CACHE_CLIENT);
ret = 1;
ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_DONE, 1);
@@ -1114,33 +1113,6 @@
return -1;
}
- /* Disallow the server certificate from changing during a renegotiation. See
- * https://mitls.org/pages/attacks/3SHAKE. We never resume on renegotiation,
- * so this check is sufficient. */
- if (ssl->s3->established_session != NULL) {
- if (sk_CRYPTO_BUFFER_num(ssl->s3->established_session->certs) !=
- sk_CRYPTO_BUFFER_num(hs->new_session->certs)) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED);
- ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
- return -1;
- }
-
- for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(hs->new_session->certs); i++) {
- const CRYPTO_BUFFER *old_cert =
- sk_CRYPTO_BUFFER_value(ssl->s3->established_session->certs, i);
- const CRYPTO_BUFFER *new_cert =
- sk_CRYPTO_BUFFER_value(hs->new_session->certs, i);
- if (CRYPTO_BUFFER_len(old_cert) != CRYPTO_BUFFER_len(new_cert) ||
- OPENSSL_memcmp(CRYPTO_BUFFER_data(old_cert),
- CRYPTO_BUFFER_data(new_cert),
- CRYPTO_BUFFER_len(old_cert)) != 0) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED);
- ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
- return -1;
- }
- }
- }
-
return 1;
}
@@ -1185,8 +1157,72 @@
return 1;
}
+static int copy_bytes(uint8_t **out, size_t *out_len, const uint8_t *in, size_t in_len) {
+ OPENSSL_free(*out);
+ *out = nullptr;
+ *out_len = 0;
+
+ if (in_len > 0) {
+ *out = (uint8_t *)BUF_memdup(in, in_len);
+ if (*out == nullptr) {
+ return 0;
+ }
+ *out_len = in_len;
+ }
+
+ return 1;
+}
+
static int ssl3_verify_server_cert(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
+ const SSL_SESSION *prev_session = ssl->s3->established_session;
+ if (prev_session != NULL) {
+ /* If renegotiating, the server must not change the server certificate. See
+ * https://mitls.org/pages/attacks/3SHAKE. We never resume on renegotiation,
+ * so this check is sufficient to ensure the reported peer certificate never
+ * changes on renegotiation. */
+ assert(!ssl->server);
+ if (sk_CRYPTO_BUFFER_num(prev_session->certs) !=
+ sk_CRYPTO_BUFFER_num(hs->new_session->certs)) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED);
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+ return -1;
+ }
+
+ for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(hs->new_session->certs); i++) {
+ const CRYPTO_BUFFER *old_cert =
+ sk_CRYPTO_BUFFER_value(prev_session->certs, i);
+ const CRYPTO_BUFFER *new_cert =
+ sk_CRYPTO_BUFFER_value(hs->new_session->certs, i);
+ if (CRYPTO_BUFFER_len(old_cert) != CRYPTO_BUFFER_len(new_cert) ||
+ OPENSSL_memcmp(CRYPTO_BUFFER_data(old_cert),
+ CRYPTO_BUFFER_data(new_cert),
+ CRYPTO_BUFFER_len(old_cert)) != 0) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED);
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+ return -1;
+ }
+ }
+
+ /* The certificate is identical, so we may skip re-verifying the
+ * certificate. Since we only authenticated the previous one, copy other
+ * authentication from the established session and ignore what was newly
+ * received. */
+ if (!copy_bytes(&hs->new_session->ocsp_response,
+ &hs->new_session->ocsp_response_length,
+ prev_session->ocsp_response,
+ prev_session->ocsp_response_length) ||
+ !copy_bytes(&hs->new_session->tlsext_signed_cert_timestamp_list,
+ &hs->new_session->tlsext_signed_cert_timestamp_list_length,
+ prev_session->tlsext_signed_cert_timestamp_list,
+ prev_session->tlsext_signed_cert_timestamp_list_length)) {
+ return -1;
+ }
+
+ hs->new_session->verify_result = prev_session->verify_result;
+ return 1;
+ }
+
if (!ssl->ctx->x509_method->session_verify_cert_chain(hs->new_session, ssl)) {
return -1;
}
diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc
index 7441925..b8d4c27 100644
--- a/src/ssl/ssl_lib.cc
+++ b/src/ssl/ssl_lib.cc
@@ -1811,6 +1811,7 @@
SSL_CTX *ctx = ssl->session_ctx;
/* Never cache sessions with empty session IDs. */
if (ssl->s3->established_session->session_id_length == 0 ||
+ ssl->s3->established_session->not_resumable ||
(ctx->session_cache_mode & mode) != mode) {
return;
}
diff --git a/src/ssl/test/bssl_shim.cc b/src/ssl/test/bssl_shim.cc
index cd846be..fb21058 100644
--- a/src/ssl/test/bssl_shim.cc
+++ b/src/ssl/test/bssl_shim.cc
@@ -112,6 +112,9 @@
bool alpn_select_done = false;
bool is_resume = false;
bool early_callback_ready = false;
+ // cert_verified is true if certificate verification has been driven to
+ // completion. This tests that the callback is not called again after this.
+ bool cert_verified = false;
};
static void TestStateExFree(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
@@ -684,27 +687,41 @@
return 1;
}
-static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) {
- SSL* ssl = (SSL*)X509_STORE_CTX_get_ex_data(store_ctx,
- SSL_get_ex_data_X509_STORE_CTX_idx());
+static bool CheckVerifyCallback(SSL *ssl) {
const TestConfig *config = GetTestConfig(ssl);
-
if (!config->expected_ocsp_response.empty()) {
const uint8_t *data;
size_t len;
SSL_get0_ocsp_response(ssl, &data, &len);
if (len == 0) {
fprintf(stderr, "OCSP response not available in verify callback\n");
- return 0;
+ return false;
}
}
- return 1;
+ if (GetTestState(ssl)->cert_verified) {
+ fprintf(stderr, "Certificate verified twice.\n");
+ return false;
+ }
+
+ return true;
}
-static int VerifyFail(X509_STORE_CTX *store_ctx, void *arg) {
- store_ctx->error = X509_V_ERR_APPLICATION_VERIFICATION;
- return 0;
+static int CertVerifyCallback(X509_STORE_CTX *store_ctx, void *arg) {
+ SSL* ssl = (SSL*)X509_STORE_CTX_get_ex_data(store_ctx,
+ SSL_get_ex_data_X509_STORE_CTX_idx());
+ const TestConfig *config = GetTestConfig(ssl);
+ if (!CheckVerifyCallback(ssl)) {
+ return 0;
+ }
+
+ GetTestState(ssl)->cert_verified = true;
+ if (config->verify_fail) {
+ store_ctx->error = X509_V_ERR_APPLICATION_VERIFICATION;
+ return 0;
+ }
+
+ return 1;
}
static int NextProtosAdvertisedCallback(SSL *ssl, const uint8_t **out,
@@ -1139,11 +1156,7 @@
return nullptr;
}
- if (config->verify_fail) {
- SSL_CTX_set_cert_verify_callback(ssl_ctx.get(), VerifyFail, NULL);
- } else {
- SSL_CTX_set_cert_verify_callback(ssl_ctx.get(), VerifySucceed, NULL);
- }
+ SSL_CTX_set_cert_verify_callback(ssl_ctx.get(), CertVerifyCallback, NULL);
if (!config->signed_cert_timestamps.empty() &&
!SSL_CTX_set_signed_cert_timestamp_list(
@@ -1374,11 +1387,115 @@
return 0x0201 + ~version;
}
+// CheckAuthProperties checks, after the initial handshake is completed or
+// after a renegotiation, that authentication-related properties match |config|.
+static bool CheckAuthProperties(SSL *ssl, bool is_resume,
+ const TestConfig *config) {
+ if (!config->expected_ocsp_response.empty()) {
+ const uint8_t *data;
+ size_t len;
+ SSL_get0_ocsp_response(ssl, &data, &len);
+ if (config->expected_ocsp_response.size() != len ||
+ OPENSSL_memcmp(config->expected_ocsp_response.data(), data, len) != 0) {
+ fprintf(stderr, "OCSP response mismatch\n");
+ return false;
+ }
+ }
+
+ if (!config->expected_signed_cert_timestamps.empty()) {
+ const uint8_t *data;
+ size_t len;
+ SSL_get0_signed_cert_timestamp_list(ssl, &data, &len);
+ if (config->expected_signed_cert_timestamps.size() != len ||
+ OPENSSL_memcmp(config->expected_signed_cert_timestamps.data(), data,
+ len) != 0) {
+ fprintf(stderr, "SCT list mismatch\n");
+ return false;
+ }
+ }
+
+ if (config->expect_verify_result) {
+ int expected_verify_result = config->verify_fail ?
+ X509_V_ERR_APPLICATION_VERIFICATION :
+ X509_V_OK;
+
+ if (SSL_get_verify_result(ssl) != expected_verify_result) {
+ fprintf(stderr, "Wrong certificate verification result\n");
+ return false;
+ }
+ }
+
+ if (!config->expect_peer_cert_file.empty()) {
+ bssl::UniquePtr<X509> expect_leaf;
+ bssl::UniquePtr<STACK_OF(X509)> expect_chain;
+ if (!LoadCertificate(&expect_leaf, &expect_chain,
+ config->expect_peer_cert_file)) {
+ return false;
+ }
+
+ // For historical reasons, clients report a chain with a leaf and servers
+ // without.
+ if (!config->is_server) {
+ if (!sk_X509_insert(expect_chain.get(), expect_leaf.get(), 0)) {
+ return false;
+ }
+ X509_up_ref(expect_leaf.get()); // sk_X509_push takes ownership.
+ }
+
+ bssl::UniquePtr<X509> leaf(SSL_get_peer_certificate(ssl));
+ STACK_OF(X509) *chain = SSL_get_peer_cert_chain(ssl);
+ if (X509_cmp(leaf.get(), expect_leaf.get()) != 0) {
+ fprintf(stderr, "Received a different leaf certificate than expected.\n");
+ return false;
+ }
+
+ if (sk_X509_num(chain) != sk_X509_num(expect_chain.get())) {
+ fprintf(stderr, "Received a chain of length %zu instead of %zu.\n",
+ sk_X509_num(chain), sk_X509_num(expect_chain.get()));
+ return false;
+ }
+
+ for (size_t i = 0; i < sk_X509_num(chain); i++) {
+ if (X509_cmp(sk_X509_value(chain, i),
+ sk_X509_value(expect_chain.get(), i)) != 0) {
+ fprintf(stderr, "Chain certificate %zu did not match.\n",
+ i + 1);
+ return false;
+ }
+ }
+ }
+
+ bool expected_sha256_client_cert = config->expect_sha256_client_cert_initial;
+ if (is_resume) {
+ expected_sha256_client_cert = config->expect_sha256_client_cert_resume;
+ }
+
+ if (SSL_get_session(ssl)->peer_sha256_valid != expected_sha256_client_cert) {
+ fprintf(stderr,
+ "Unexpected SHA-256 client cert state: expected:%d is_resume:%d.\n",
+ expected_sha256_client_cert, is_resume);
+ return false;
+ }
+
+ if (expected_sha256_client_cert &&
+ SSL_get_session(ssl)->certs != nullptr) {
+ fprintf(stderr, "Have both client cert and SHA-256 hash: is_resume:%d.\n",
+ is_resume);
+ return false;
+ }
+
+ return true;
+}
+
// CheckHandshakeProperties checks, immediately after |ssl| completes its
// initial handshake (or False Starts), whether all the properties are
// consistent with the test configuration and invariants.
static bool CheckHandshakeProperties(SSL *ssl, bool is_resume,
const TestConfig *config) {
+ if (!CheckAuthProperties(ssl, is_resume, config)) {
+ return false;
+ }
+
if (SSL_get_current_cipher(ssl) == nullptr) {
fprintf(stderr, "null cipher after handshake\n");
return false;
@@ -1504,40 +1621,6 @@
return false;
}
- if (!config->expected_ocsp_response.empty()) {
- const uint8_t *data;
- size_t len;
- SSL_get0_ocsp_response(ssl, &data, &len);
- if (config->expected_ocsp_response.size() != len ||
- OPENSSL_memcmp(config->expected_ocsp_response.data(), data, len) != 0) {
- fprintf(stderr, "OCSP response mismatch\n");
- return false;
- }
- }
-
- if (!config->expected_signed_cert_timestamps.empty()) {
- const uint8_t *data;
- size_t len;
- SSL_get0_signed_cert_timestamp_list(ssl, &data, &len);
- if (config->expected_signed_cert_timestamps.size() != len ||
- OPENSSL_memcmp(config->expected_signed_cert_timestamps.data(), data,
- len) != 0) {
- fprintf(stderr, "SCT list mismatch\n");
- return false;
- }
- }
-
- if (config->expect_verify_result) {
- int expected_verify_result = config->verify_fail ?
- X509_V_ERR_APPLICATION_VERIFICATION :
- X509_V_OK;
-
- if (SSL_get_verify_result(ssl) != expected_verify_result) {
- fprintf(stderr, "Wrong certificate verification result\n");
- return false;
- }
- }
-
if (config->expect_peer_signature_algorithm != 0 &&
config->expect_peer_signature_algorithm !=
SSL_get_peer_signature_algorithm(ssl)) {
@@ -1596,65 +1679,6 @@
}
}
- if (!config->expect_peer_cert_file.empty()) {
- bssl::UniquePtr<X509> expect_leaf;
- bssl::UniquePtr<STACK_OF(X509)> expect_chain;
- if (!LoadCertificate(&expect_leaf, &expect_chain,
- config->expect_peer_cert_file)) {
- return false;
- }
-
- // For historical reasons, clients report a chain with a leaf and servers
- // without.
- if (!config->is_server) {
- if (!sk_X509_insert(expect_chain.get(), expect_leaf.get(), 0)) {
- return false;
- }
- X509_up_ref(expect_leaf.get()); // sk_X509_push takes ownership.
- }
-
- bssl::UniquePtr<X509> leaf(SSL_get_peer_certificate(ssl));
- STACK_OF(X509) *chain = SSL_get_peer_cert_chain(ssl);
- if (X509_cmp(leaf.get(), expect_leaf.get()) != 0) {
- fprintf(stderr, "Received a different leaf certificate than expected.\n");
- return false;
- }
-
- if (sk_X509_num(chain) != sk_X509_num(expect_chain.get())) {
- fprintf(stderr, "Received a chain of length %zu instead of %zu.\n",
- sk_X509_num(chain), sk_X509_num(expect_chain.get()));
- return false;
- }
-
- for (size_t i = 0; i < sk_X509_num(chain); i++) {
- if (X509_cmp(sk_X509_value(chain, i),
- sk_X509_value(expect_chain.get(), i)) != 0) {
- fprintf(stderr, "Chain certificate %zu did not match.\n",
- i + 1);
- return false;
- }
- }
- }
-
- bool expected_sha256_client_cert = config->expect_sha256_client_cert_initial;
- if (is_resume) {
- expected_sha256_client_cert = config->expect_sha256_client_cert_resume;
- }
-
- if (SSL_get_session(ssl)->peer_sha256_valid != expected_sha256_client_cert) {
- fprintf(stderr,
- "Unexpected SHA-256 client cert state: expected:%d is_resume:%d.\n",
- expected_sha256_client_cert, is_resume);
- return false;
- }
-
- if (expected_sha256_client_cert &&
- SSL_get_session(ssl)->certs != nullptr) {
- fprintf(stderr, "Have both client cert and SHA-256 hash: is_resume:%d.\n",
- is_resume);
- return false;
- }
-
if (is_resume && config->expect_ticket_age_skew != 0 &&
SSL_get_ticket_age_skew(ssl) != config->expect_ticket_age_skew) {
fprintf(stderr, "Ticket age skew was %" PRId32 ", wanted %d\n",
@@ -2242,6 +2266,21 @@
return false;
}
+ if (SSL_total_renegotiations(ssl) > 0) {
+ if (!SSL_get_session(ssl)->not_resumable) {
+ fprintf(stderr,
+ "Renegotiations should never produce resumable sessions.\n");
+ return false;
+ }
+
+ // Re-check authentication properties after a renegotiation. The reported
+ // values should remain unchanged even if the server sent different SCT
+ // lists.
+ if (!CheckAuthProperties(ssl, is_resume, config)) {
+ return false;
+ }
+ }
+
if (SSL_total_renegotiations(ssl) != config->expect_total_renegotiations) {
fprintf(stderr, "Expected %d renegotiations, got %d\n",
config->expect_total_renegotiations, SSL_total_renegotiations(ssl));
diff --git a/src/ssl/test/runner/common.go b/src/ssl/test/runner/common.go
index fd9fb3d..aebc264 100644
--- a/src/ssl/test/runner/common.go
+++ b/src/ssl/test/runner/common.go
@@ -1059,11 +1059,19 @@
// supplied SCT list in resumption handshakes.
SendSCTListOnResume []byte
+ // SendSCTListOnRenegotiation, if not nil, causes the server to send the
+ // supplied SCT list on renegotiation.
+ SendSCTListOnRenegotiation []byte
+
// SendOCSPResponseOnResume, if not nil, causes the server to advertise
// OCSP stapling in resumption handshakes and, if applicable, send the
// supplied stapled response.
SendOCSPResponseOnResume []byte
+ // SendOCSPResponseOnResume, if not nil, causes the server to send the
+ // supplied OCSP response on renegotiation.
+ SendOCSPResponseOnRenegotiation []byte
+
// SendExtensionOnCertificate, if not nil, causes the runner to send the
// supplied bytes in the extensions on the Certificate message.
SendExtensionOnCertificate []byte
diff --git a/src/ssl/test/runner/handshake_server.go b/src/ssl/test/runner/handshake_server.go
index b31a562..cb9bdac 100644
--- a/src/ssl/test/runner/handshake_server.go
+++ b/src/ssl/test/runner/handshake_server.go
@@ -1433,6 +1433,10 @@
hs.hello.extensions.sctList = hs.cert.SignedCertificateTimestampList
}
+ if len(c.clientVerify) > 0 && config.Bugs.SendSCTListOnRenegotiation != nil {
+ hs.hello.extensions.sctList = config.Bugs.SendSCTListOnRenegotiation
+ }
+
hs.hello.extensions.ticketSupported = hs.clientHello.ticketSupported && !config.SessionTicketsDisabled && c.vers > VersionSSL30
hs.hello.cipherSuite = hs.suite.id
if config.Bugs.SendCipherSuite != 0 {
@@ -1479,6 +1483,9 @@
certStatus := new(certificateStatusMsg)
certStatus.statusType = statusTypeOCSP
certStatus.response = hs.cert.OCSPStaple
+ if len(c.clientVerify) > 0 && config.Bugs.SendOCSPResponseOnRenegotiation != nil {
+ certStatus.response = config.Bugs.SendOCSPResponseOnRenegotiation
+ }
hs.writeServerHash(certStatus.marshal())
c.writeRecord(recordTypeHandshake, certStatus.marshal())
}
diff --git a/src/ssl/test/runner/runner.go b/src/ssl/test/runner/runner.go
index 29747db..e3521a4 100644
--- a/src/ssl/test/runner/runner.go
+++ b/src/ssl/test/runner/runner.go
@@ -199,7 +199,9 @@
var channelIDBytes []byte
var testOCSPResponse = []byte{1, 2, 3, 4}
+var testOCSPResponse2 = []byte{5, 6, 7, 8}
var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
+var testSCTList2 = []byte{0, 6, 0, 4, 1, 2, 3, 4}
var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
@@ -6381,10 +6383,6 @@
expectedError: ":UNEXPECTED_EXTENSION:",
})
- var differentSCTList []byte
- differentSCTList = append(differentSCTList, testSCTList...)
- differentSCTList[len(differentSCTList)-1] ^= 1
-
// Test that extensions on intermediates are allowed but ignored.
testCases = append(testCases, testCase{
name: "IgnoreExtensionsOnIntermediates-TLS13",
@@ -6395,8 +6393,8 @@
// Send different values on the intermediate. This tests
// the intermediate's extensions do not override the
// leaf's.
- SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
- SendSCTOnIntermediates: differentSCTList,
+ SendOCSPOnIntermediates: testOCSPResponse2,
+ SendSCTOnIntermediates: testSCTList2,
},
},
flags: []string{
@@ -7446,6 +7444,34 @@
shouldFail: true,
expectedError: ":UNEXPECTED_EXTENSION:",
})
+
+ // The server may send different stapled OCSP responses or SCT lists on
+ // renegotiation, but BoringSSL ignores this and reports the old values.
+ // Also test that non-fatal verify results are preserved.
+ testCases = append(testCases, testCase{
+ testType: clientTest,
+ name: "Renegotiation-ChangeAuthProperties",
+ config: Config{
+ MaxVersion: VersionTLS12,
+ Bugs: ProtocolBugs{
+ SendOCSPResponseOnRenegotiation: testOCSPResponse2,
+ SendSCTListOnRenegotiation: testSCTList2,
+ },
+ },
+ renegotiate: 1,
+ flags: []string{
+ "-renegotiate-freely",
+ "-expect-total-renegotiations", "1",
+ "-enable-ocsp-stapling",
+ "-expect-ocsp-response",
+ base64.StdEncoding.EncodeToString(testOCSPResponse),
+ "-enable-signed-cert-timestamps",
+ "-expect-signed-cert-timestamps",
+ base64.StdEncoding.EncodeToString(testSCTList),
+ "-verify-fail",
+ "-expect-verify-result",
+ },
+ })
}
func addDTLSReplayTests() {
