)]}'
{
  "commit": "cc55e9fe9062dde8277ef675106666e27526d271",
  "tree": "bc102ae9d6a2da3a8a7c8aaee840f42d3f58f191",
  "parents": [
    "c5fbe07583f571d143fb560fa92cac3f42e9f826"
  ],
  "author": {
    "name": "David Benjamin",
    "email": "davidben@google.com",
    "time": "Tue Feb 17 14:15:20 2026 -0500"
  },
  "committer": {
    "name": "Boringssl LUCI CQ",
    "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com",
    "time": "Wed Mar 04 14:08:43 2026 -0800"
  },
  "message": "Handle an API edge case with PSKs and client certificates\n\nIf a client is configured to accept PSKs or server certificates, the\nserver may authenticate with a certificate and then request a client\ncertificate.\n\nThe client may then wish to decline to send a client certificate. We\nnormally express this with an empty credential list. But such a client\ncannot have an empty credential list because it contains PSKs.\n\nDue to the order of protocol decisions, the client\u0027s credential list is\neffectively two credential lists: a set of \"non-certificate\" credentials\n(PSKs, PAKEs), which can pick non-certificate modes, and then a set of\n\"certificate\" credentials. We only care if the second one is empty. In\nother words, skip over PSK/PAKE credentials when evaluating emptiness.\n\nThey\u0027re still one combined list because, on the server, the choice is\nmade at the same time and having one combined list is helpful to express\nan ordering.\n\n(For this purpose, a raw public key is a certificate credential.)\n\nBug: 369963041\nChange-Id: If7b06e2bd347a187499a8621eb692c4a87c5dbf6\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/89567\nReviewed-by: Lily Chen \u003cchlily@google.com\u003e\nCommit-Queue: David Benjamin \u003cdavidben@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "23dc602264d39eb046b16b5c48fa711fc2eff7ce",
      "old_mode": 33188,
      "old_path": "ssl/handshake_client.cc",
      "new_id": "137516bec157ab89770adf95eb08bacd163efde1",
      "new_mode": 33188,
      "new_path": "ssl/handshake_client.cc"
    },
    {
      "type": "modify",
      "old_id": "d00cf8678bc790d5d65d7fe45612e91bcaddc3c4",
      "old_mode": 33188,
      "old_path": "ssl/test/runner/psk_tests.go",
      "new_id": "36f6de6db9eb84594c0db758ace6100025a6f1dd",
      "new_mode": 33188,
      "new_path": "ssl/test/runner/psk_tests.go"
    },
    {
      "type": "modify",
      "old_id": "59dc387188df2d33a4133ac9520c8c9234790d1a",
      "old_mode": 33188,
      "old_path": "ssl/tls13_client.cc",
      "new_id": "9df39b06da23c1cd93a8f2e24b5bc06038efd8da",
      "new_mode": 33188,
      "new_path": "ssl/tls13_client.cc"
    }
  ]
}