gfe-relnote: Enable certificate verification on TLS resumption in QUIC, protected by reloadable flag quic_supports_tls_handshake PiperOrigin-RevId: 279800956 Change-Id: I58c3f1c32e20a7e7a9eb1c2b4f68538120baf112

commit: 1473c09ca5bf7cc15bca7082918564ccbf8ecb83 [log] [tgz]
author: nharper <nharper@google.com> Mon Nov 11 13:13:19 2019 -0800
committer: Copybara-Service <copybara-worker@google.com> Mon Nov 11 13:14:17 2019 -0800
tree: 7d20f307d08fe5ed6a5448665b6e7831ec709986
parent: df7a77bb7ac3573cbf5b48766e0e526d876c1364 [diff] [blame]
diff --git a/quic/core/crypto/tls_client_connection.cc b/quic/core/crypto/tls_client_connection.cc
index 98aa6e7..7d11224 100644
--- a/quic/core/crypto/tls_client_connection.cc
+++ b/quic/core/crypto/tls_client_connection.cc

@@ -14,11 +14,9 @@
 bssl::UniquePtr<SSL_CTX> TlsClientConnection::CreateSslCtx() {
   bssl::UniquePtr<SSL_CTX> ssl_ctx = TlsConnection::CreateSslCtx();
   // Configure certificate verification.
-  // TODO(nharper): This only verifies certs on initial connection, not on
-  // resumption. Chromium has this callback be a no-op and verifies the
-  // certificate after the connection is complete. We need to re-verify on
-  // resumption in case of expiration or revocation/distrust.
   SSL_CTX_set_custom_verify(ssl_ctx.get(), SSL_VERIFY_PEER, &VerifyCallback);
+  int reverify_on_resume_enabled = 1;
+  SSL_CTX_set_reverify_on_resume(ssl_ctx.get(), reverify_on_resume_enabled);
 
   // Configure session caching.
   SSL_CTX_set_session_cache_mode(
commit	1473c09ca5bf7cc15bca7082918564ccbf8ecb83	[log] [tgz]
author	nharper <nharper@google.com>	Mon Nov 11 13:13:19 2019 -0800
committer	Copybara-Service <copybara-worker@google.com>	Mon Nov 11 13:14:17 2019 -0800
tree	7d20f307d08fe5ed6a5448665b6e7831ec709986
parent	df7a77bb7ac3573cbf5b48766e0e526d876c1364 [diff] [blame]