crypto/tls: add client-side SNI support and PeerCertificates.

SNI (Server Name Indication) is a way for a TLS client to indicate to the server which name it knows the server by. This allows the server to have several names and return the correct certificate for each (virtual hosting). PeerCertificates returns the list of certificates presented by server. R=r CC=golang-dev https://golang.org/cl/1741053
2025-12-08 06:10:04 +00:00 · 2010-07-21 11:36:01 -04:00 · 2010-07-21 11:36:01 -04:00 · 7be849d4a6
commit 7be849d4a6
parent 8286ee4c5b
4 changed files with 19 additions and 1 deletions
--- a/src/pkg/crypto/tls/common.go
+++ b/src/pkg/crypto/tls/common.go
@ -85,6 +85,9 @@ type Config struct {
 	// NextProtos is a list of supported, application level protocols.
 	// Currently only server-side handling is supported.
 	NextProtos []string
+	// ServerName is included in the client's handshake to support virtual
+	// hosting.
+	ServerName string
 }

 type Certificate struct {
--- a/src/pkg/crypto/tls/conn.go
+++ b/src/pkg/crypto/tls/conn.go
@ -5,6 +5,7 @@ package tls
 import (
 	"bytes"
 	"crypto/subtle"
+	"crypto/x509"
 	"hash"
 	"io"
 	"net"
@ -27,6 +28,7 @@ type Conn struct {
 	handshakeComplete bool
 	cipherSuite       uint16
 	ocspResponse      []byte // stapled OCSP response
+	peerCertificates  []*x509.Certificate

 	clientProtocol string

@ -651,3 +653,12 @@ func (c *Conn) OCSPResponse() []byte {

 	return c.ocspResponse
 }
+
+// PeerCertificates returns the certificate chain that was presented by the
+// other side.
+func (c *Conn) PeerCertificates() []*x509.Certificate {
+	c.handshakeMutex.Lock()
+	defer c.handshakeMutex.Unlock()
+
+	return c.peerCertificates
+}
--- a/src/pkg/crypto/tls/handshake_client.go
+++ b/src/pkg/crypto/tls/handshake_client.go
@ -28,6 +28,7 @@ func (c *Conn) clientHandshake() os.Error {
 		compressionMethods: []uint8{compressionNone},
 		random:             make([]byte, 32),
 		ocspStapling:       true,
+		serverName:         c.config.ServerName,
 	}

 	t := uint32(c.config.Time())
@ -107,6 +108,8 @@ func (c *Conn) clientHandshake() os.Error {
 		return c.sendAlert(alertUnsupportedCertificate)
 	}

+	c.peerCertificates = certs
+
 	if serverHello.certStatus {
 		msg, err = c.readHandshake()
 		if err != nil {
--- a/src/pkg/crypto/tls/handshake_messages.go
+++ b/src/pkg/crypto/tls/handshake_messages.go
@ -100,7 +100,8 @@ func (m *clientHelloMsg) marshal() []byte {
 		//     ServerName server_name_list<1..2^16-1>
 		// } ServerNameList;

-		z[1] = 1
+		z[0] = byte((len(m.serverName) + 3) >> 8)
+		z[1] = byte(len(m.serverName) + 3)
 		z[3] = byte(len(m.serverName) >> 8)
 		z[4] = byte(len(m.serverName))
 		copy(z[5:], []byte(m.serverName))