[dev.boringcrypto] all: merge master into dev.boringcrypto

[gostls13.git] / src / crypto / tls / handshake_client.go

diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
index ca74989f6ed0b2c9972c26b63cdb1f5adab4e34f..44acdbaf2dcfc94c76599dab604ce0e7471e6db1 100644 (file)
--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@@ -114,7 +114,16 @@ NextCipherSuite:
        }
 
        if hello.vers >= VersionTLS12 {
-               hello.supportedSignatureAlgorithms = supportedSignatureAlgorithms
+               // The non-BoringCrypto behavior here is to use the full set of
+               // signature algorithms, even if TLS 1.3 is not being negotiated. It's
+               // debatable if this is correct or not, because on one hand it allows
+               // RSA-PSS as a client with TLS 1.2, but on the other hand we can't
+               // predict what the server will pick when we do advertise TLS 1.3, so we
+               // might end up with TLS 1.2 + RSA-PSS anyway. Anyway, it will go away soon.
+               hello.supportedSignatureAlgorithms = supportedSignatureAlgorithms(VersionTLS13)
+       }
+       if testingOnlyForceClientHelloSignatureAlgorithms != nil {
+               hello.supportedSignatureAlgorithms = testingOnlyForceClientHelloSignatureAlgorithms
        }
 
        var params ecdheParameters
@@ -822,6 +831,8 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
 
        if !c.config.InsecureSkipVerify {
                opts := x509.VerifyOptions{
+                       IsBoring: isBoringCertificate,
+
                        Roots:         c.config.RootCAs,
                        CurrentTime:   c.config.time(),
                        DNSName:       c.config.ServerName,