fix: Config.InsecureSkipTimeVerify did not skip peerCertificate expiry check (#303)

Signed-off-by: adotkhan <[email protected]>
Reviewed-by: Gaukas Wang <[email protected]>

Author: adotkhan

handshake_client.go

@@ -368,33 +368,29 @@ func (c *Conn) loadSession(hello *clientHelloMsg) (
 	// Check that the cached server certificate is not expired, and that it's
 	// valid for the ServerName. This should be ensured by the cache key, but
 	// protect the application from a faulty ClientSessionCache implementation.
-	if c.config.time().After(session.peerCertificates[0].NotAfter) {
-		// Expired certificate, delete the entry.
-		c.config.ClientSessionCache.Put(cacheKey, nil)
-		return nil, nil, nil, nil
+	// [UTLS SECTION START]
+	if !c.config.InsecureSkipTimeVerify {
+		if c.config.time().After(session.peerCertificates[0].NotAfter) {
+			// Expired certificate, delete the entry.
+			c.config.ClientSessionCache.Put(cacheKey, nil)
+			return nil, nil, nil, nil
+		}
 	}
+	// [UTLS SECTION END]
 	if !c.config.InsecureSkipVerify {
 		if len(session.verifiedChains) == 0 {
 			// The original connection had InsecureSkipVerify, while this doesn't.
 			return nil, nil, nil, nil
 		}
-		serverCert := session.peerCertificates[0]
 		// [UTLS SECTION START]
-		if !c.config.InsecureSkipTimeVerify {
-			if c.config.time().After(serverCert.NotAfter) {
-				// Expired certificate, delete the entry.
-				c.config.ClientSessionCache.Put(cacheKey, nil)
-				return nil, nil, nil, nil
-			}
-		}
 		var dnsName string
 		if len(c.config.InsecureServerNameToVerify) == 0 {
 			dnsName = c.config.ServerName
 		} else if c.config.InsecureServerNameToVerify != "*" {
 			dnsName = c.config.InsecureServerNameToVerify
 		}
 		if len(dnsName) > 0 {
-			if err := serverCert.VerifyHostname(dnsName); err != nil {
+			if err := session.peerCertificates[0].VerifyHostname(dnsName); err != nil {
 				return nil, nil, nil, nil
 			}
 		}