From: Filippo Valsorda
+
@@ -512,6 +523,11 @@ Do not send CLs removing the interior tags from such phrases.
Due to the addition of private fields to
+
The
+ Servers now skip verifying client certificates (including not running
+
Applications can now control the content of session tickets.
+
PublicKey.Equal
and
+ PrivateKey.Equal
+ now execute in constant time.
+ PrecomputedValues
, PrivateKey.Precompute
must be called for optimal performance even if deserializing (for example from JSON) a previously-precomputed private key.
PublicKey.Equal
and
+ PrivateKey.Equal
+ now execute in constant time.
+ GenerateMultiPrimeKey
function and the PrecomputedValues.CRTValues
field have been deprecated. PrecomputedValues.CRTValues
will still be populated when PrivateKey.Precompute
is called, but the values will not be used during decryption operations.
Config.VerifyPeerCertificate
)
+ for resumed connections, besides checking the expiration time. This makes
+ session tickets larger when client certificates are in use. Clients were
+ already skipping verification on resumption, but now check the expiration
+ time even if Config.InsecureSkipVerify
+ is set.
+
@@ -548,7 +574,7 @@ Do not send CLs removing the interior tags from such phrases.
Config.WrapSession
and
Config.UnwrapSession
- hooks convert a SessionState
to and from a ticket.
+ hooks convert a SessionState
to and from a ticket on the server side.
Config.EncryptTicket
@@ -560,25 +586,31 @@ Do not send CLs removing the interior tags from such phrases.
The ClientSessionState.ResumptionState
method and
NewResumptionState
function
may be used by a ClientSessionCache
implementation to store and
- resume sessions.
+ resume sessions on the client side.
+ To reduce the potential for session tickets to be used as a tracking
+ mechanism across connections, the server now issues new tickets on every
+ resumption (if they are supported and not disabled) and tickets don't bear
+ an identifier for the key that encrypted them anymore. If passing a large
+ number of keys to Conn.SetSessionTicketKeys
,
+ this might lead to a noticeable performance cost.
+
- The package now supports the extended master secret extension (RFC 7627),
- and enables it by default. Additionally, the deprecation of
- ConnectionState.TLSUnique
- has been reverted, and it is populated when a connection which uses
- extended master secret is resumed. Session tickets produced by
- Go pre-1.21 are not interoperable with Go 1.21, meaning connections
- resumed across versions will fall back to full handshakes.
+ Both clients and servers now implement the Extended Master Secret extension (RFC 7627).
+ The deprecation of ConnectionState.TLSUnique
+ has been reverted, and is now set for resumed connections that support Extended Master Secret.
The new QUICConn
type
- provides support for QUIC implementations. Note that this is not itself
- a QUIC implementation.
+ provides support for QUIC implementations, including 0-RTT support. Note
+ that this is not itself a QUIC implementation, and 0-RTT is still not
+ supported in TLS.
@@ -588,8 +620,8 @@ Do not send CLs removing the interior tags from such phrases.
The TLS alert codes sent from the server for client authentication failures have - been improved. Prior to Go 1.21, these failures always resulted in a "bad certificate" alert. - Starting from Go 1.21, certain failures will result in more appropriate alert codes, + been improved. Previously, these failures always resulted in a "bad certificate" alert. + Now, certain failures will result in more appropriate alert codes, as defined by RFC 5246 and RFC 8446:
RevocationList.RevokedCertificates
has been deprecated and replaced with the new RevokedCertificateEntries
field, which is a slice of RevocationListEntry
. RevocationListEntry
contains all of the fields in pkix.RevokedCertificate
, as well as the revocation reason code.
+ Name constraints are now correctly enforced on non-leaf certificates, and + not on the certificates where they are expressed. +