From 7409f6f17caff8a1f0ef8dc010409b29dfe5cf3b Mon Sep 17 00:00:00 2001
From: Amir Khan <a.khan@psiphon.ca>
Date: Mon, 15 Jul 2024 13:06:57 -0400
Subject: [PATCH] fix: Config.InsecureSkipTimeVerify did not skip
 peerCertificate expiry check

---
 handshake_client.go | 22 +++++++++-------------
 1 file changed, 9 insertions(+), 13 deletions(-)

diff --git a/handshake_client.go b/handshake_client.go
index b142b4d6..390c8dfc 100644
--- a/handshake_client.go
+++ b/handshake_client.go
@@ -368,25 +368,21 @@ func (c *Conn) loadSession(hello *clientHelloMsg) (
 	// Check that the cached server certificate is not expired, and that it's
 	// valid for the ServerName. This should be ensured by the cache key, but
 	// protect the application from a faulty ClientSessionCache implementation.
-	if c.config.time().After(session.peerCertificates[0].NotAfter) {
-		// Expired certificate, delete the entry.
-		c.config.ClientSessionCache.Put(cacheKey, nil)
-		return nil, nil, nil, nil
+	// [UTLS SECTION START]
+	if !c.config.InsecureSkipTimeVerify {
+		if c.config.time().After(session.peerCertificates[0].NotAfter) {
+			// Expired certificate, delete the entry.
+			c.config.ClientSessionCache.Put(cacheKey, nil)
+			return nil, nil, nil, nil
+		}
 	}
+	// [UTLS SECTION END]
 	if !c.config.InsecureSkipVerify {
 		if len(session.verifiedChains) == 0 {
 			// The original connection had InsecureSkipVerify, while this doesn't.
 			return nil, nil, nil, nil
 		}
-		serverCert := session.peerCertificates[0]
 		// [UTLS SECTION START]
-		if !c.config.InsecureSkipTimeVerify {
-			if c.config.time().After(serverCert.NotAfter) {
-				// Expired certificate, delete the entry.
-				c.config.ClientSessionCache.Put(cacheKey, nil)
-				return nil, nil, nil, nil
-			}
-		}
 		var dnsName string
 		if len(c.config.InsecureServerNameToVerify) == 0 {
 			dnsName = c.config.ServerName
@@ -394,7 +390,7 @@ func (c *Conn) loadSession(hello *clientHelloMsg) (
 			dnsName = c.config.InsecureServerNameToVerify
 		}
 		if len(dnsName) > 0 {
-			if err := serverCert.VerifyHostname(dnsName); err != nil {
+			if err := session.peerCertificates[0].VerifyHostname(dnsName); err != nil {
 				return nil, nil, nil, nil
 			}
 		}