Looking into how to do client cert authentication from the Go HTTP client, I found out I needed renegotiation from the client side and I came across issue 5742 for Go on GitHub, which is the issue leading up to renegotiation support being added to Go's crypto/tls package, and there was discussion on the issue about the triple handshake vulnerability.
I read https://blog.cryptographyengineering.com/2014/04/24/attack-of-week-triple-handshakes-3shake/ and it sounds like the third handshake is the session resupmtion handshake, but I'm not sure when that handshake happens, but looking through Go's source code it sounds like resumption during renegotiation is not allowed on Go TLS https://github.com/golang/go/blob/d153df8e4b5874692f4948e9c8e10720446058e3/src/crypto/tls/handshake_client.go#L124-L126. I didn't fully grasp the time frame when the triple handshake would take place, but would that prevent 3shake? Also, would RenegotiateOnceAsClient in Go (which has the Go HTTP client doing TLS do only one renegotiation per connection) do anything to prevent it?
