send common certificate sets in the client hello

handshake/crypto_setup_client.go

@@ -297,6 +297,11 @@ func (h *cryptoSetupClient) getTags() (map[Tag][]byte, error) {
 	tags[TagSNI] = []byte(h.hostname)
 	tags[TagPDMD] = []byte("X509")
 
+	ccs := h.certManager.GetCommonCertificateHashes()
+	if len(ccs) > 0 {
+		tags[TagCCS] = ccs
+	}
+
 	versionTag := make([]byte, 4, 4)
 	binary.LittleEndian.PutUint32(versionTag, protocol.VersionNumberToTag(h.version))
 	tags[TagVER] = versionTag

handshake/crypto_setup_client_test.go

@@ -44,6 +44,8 @@ type mockCertManager struct {
 	setDataCalledWith []byte
 	setDataError      error
 
+	commonCertificateHashes []byte
+
 	leafCert          []byte
 	leafCertHash      uint64
 	leafCertHashError error
@@ -60,6 +62,10 @@ func (m *mockCertManager) SetData(data []byte) error {
 	return m.setDataError
 }
 
+func (m *mockCertManager) GetCommonCertificateHashes() []byte {
+	return m.commonCertificateHashes
+}
+
 func (m *mockCertManager) GetLeafCert() []byte {
 	return m.leafCert
 }
@@ -361,11 +367,20 @@ var _ = Describe("Crypto setup", func() {
 
 		It("has the right values for an inchoate CHLO", func() {
 			cs.hostname = "sni-hostname"
+			certManager.commonCertificateHashes = []byte("common certs")
 			tags, err := cs.getTags()
 			Expect(err).ToNot(HaveOccurred())
 			Expect(string(tags[TagSNI])).To(Equal(cs.hostname))
 			Expect(tags[TagPDMD]).To(Equal([]byte("X509")))
 			Expect(tags[TagVER]).To(Equal([]byte("Q036")))
+			Expect(tags[TagCCS]).To(Equal(certManager.commonCertificateHashes))
+		})
+
+		It("doesn't send a CCS if there are no common certificate sets available", func() {
+			certManager.commonCertificateHashes = nil
+			tags, err := cs.getTags()
+			Expect(err).ToNot(HaveOccurred())
+			Expect(tags).ToNot(HaveKey(TagCCS))
 		})
 
 		It("includes the server config id, if available", func() {