gfe-relnote: Enable certificate verification on TLS resumption in QUIC, protected by reloadable flag quic_supports_tls_handshake
PiperOrigin-RevId: 279800956
Change-Id: I58c3f1c32e20a7e7a9eb1c2b4f68538120baf112
diff --git a/quic/core/crypto/tls_client_connection.cc b/quic/core/crypto/tls_client_connection.cc
index 98aa6e7..7d11224 100644
--- a/quic/core/crypto/tls_client_connection.cc
+++ b/quic/core/crypto/tls_client_connection.cc
@@ -14,11 +14,9 @@
bssl::UniquePtr<SSL_CTX> TlsClientConnection::CreateSslCtx() {
bssl::UniquePtr<SSL_CTX> ssl_ctx = TlsConnection::CreateSslCtx();
// Configure certificate verification.
- // TODO(nharper): This only verifies certs on initial connection, not on
- // resumption. Chromium has this callback be a no-op and verifies the
- // certificate after the connection is complete. We need to re-verify on
- // resumption in case of expiration or revocation/distrust.
SSL_CTX_set_custom_verify(ssl_ctx.get(), SSL_VERIFY_PEER, &VerifyCallback);
+ int reverify_on_resume_enabled = 1;
+ SSL_CTX_set_reverify_on_resume(ssl_ctx.get(), reverify_on_resume_enabled);
// Configure session caching.
SSL_CTX_set_session_cache_mode(
diff --git a/quic/core/quic_crypto_client_stream_test.cc b/quic/core/quic_crypto_client_stream_test.cc
index 675dc20..4fd338f 100644
--- a/quic/core/quic_crypto_client_stream_test.cc
+++ b/quic/core/quic_crypto_client_stream_test.cc
@@ -72,11 +72,13 @@
}
void CompleteCryptoHandshake() {
+ int proof_verify_details_calls = 1;
if (stream()->handshake_protocol() != PROTOCOL_TLS1_3) {
EXPECT_CALL(*session_, OnProofValid(testing::_));
+ proof_verify_details_calls = 0;
}
EXPECT_CALL(*session_, OnProofVerifyDetailsAvailable(testing::_))
- .Times(testing::AnyNumber());
+ .Times(testing::AtLeast(proof_verify_details_calls));
stream()->CryptoConnect();
QuicConfig config;
crypto_test_utils::HandshakeWithFakeServer(