New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: customized selection of a client cert during handshake with server #16626
Labels
FeatureRequest
FrozenDueToAge
NeedsFix
The path to resolution is known, but the work has not been done.
Milestone
Comments
Do you want to send a change? See https://golang.org/doc/contribute.html |
Sure. Will you be a reviewer or should I leave it open? |
It will be routed to reviewers. I will do the early reviews. @agl can give it the crypto blessing. |
OK, thanks for the reply. I will 'git mail' it then. |
quentinmit
added
the
NeedsFix
The path to resolution is known, but the work has not been done.
label
Oct 10, 2016
CL 25570. |
CL https://golang.org/cl/25570 mentions this issue. |
CL https://golang.org/cl/32115 mentions this issue. |
FiloSottile
pushed a commit
to FiloSottile/go
that referenced
this issue
Oct 12, 2018
Currently, the selection of a client certificate done internally based on the limitations given by the server's request and the certifcates in the Config. This means that it's not possible for an application to control that selection based on details of the request. This change adds a callback, GetClientCertificate, that is called by a Client during the handshake and which allows applications to select the best certificate at that time. (Based on https://golang.org/cl/25570/ by Bernd Fix.) Fixes golang#16626. Change-Id: Ia4cea03235d2aa3c9fd49c99c227593c8e86ddd9 Reviewed-on: https://go-review.googlesource.com/32115 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
FiloSottile
pushed a commit
to FiloSottile/go
that referenced
this issue
Oct 12, 2018
Currently, the selection of a client certificate done internally based on the limitations given by the server's request and the certifcates in the Config. This means that it's not possible for an application to control that selection based on details of the request. This change adds a callback, GetClientCertificate, that is called by a Client during the handshake and which allows applications to select the best certificate at that time. (Based on https://golang.org/cl/25570/ by Bernd Fix.) Fixes golang#16626. Change-Id: Ia4cea03235d2aa3c9fd49c99c227593c8e86ddd9 Reviewed-on: https://go-review.googlesource.com/32115 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
FeatureRequest
FrozenDueToAge
NeedsFix
The path to resolution is known, but the work has not been done.
Please answer these questions before submitting your issue. Thanks!
go version
)?go version go1.6.3 linux/amd64
go env
)?GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/opt/go/ext"
GORACE=""
GOROOT="/opt/go/golang"
GOTOOLDIR="/opt/go/golang/pkg/tool/linux_amd64"
GO15VENDOREXPERIMENT="1"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0"
CXX="g++"
CGO_ENABLED="1"
Requirement for a customized selection of a client certificate during TLS handshake with a server. The current implementation in crypto/tls/handshake_client.go uses the first certificate that is signed by an acceptable CA. The application cannot set the client cert in tls.Config.Certificates based on user selection before calling conn.Handshake(), because it has no way to tell which CAs will be accepted by a server in a handshake.
The problem was locally fixed by cloning crypto/tls and applying the following changes. If the requirement is considered legit and usually useful, feel free to use and modify it as you see fit:
crypto/tls/common.go:
crypto/tls/handshake_client.go(doFullHandshake):
crypto/tls/tls_test.go(TestClone):
The text was updated successfully, but these errors were encountered: