Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: Client-side certificate doesn't work with tip #28925

Closed
anacrolix opened this issue Nov 23, 2018 · 9 comments
Closed

crypto/tls: Client-side certificate doesn't work with tip #28925

anacrolix opened this issue Nov 23, 2018 · 9 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. release-blocker
Milestone

Comments

@anacrolix
Copy link
Contributor

What version of Go are you using (go version)?

$ go version
go version devel +ae65615 Wed Nov 21 00:10:38 2018 +0000 linux/amd6

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOHOSTARCH="amd64"
GOHOSTOS="linux"

What did you do?

A tls.Config containing a single client-side certificate fails with remote error: unknown certificate on the recent go version. With release (1.11), this doesn't happen. Setting tls max version 1.2 doesn't seem to help. May be related to #28779.

@agnivade
Copy link
Contributor

Hi @anacrolix - Can you provide us with a reproducible code sample ? It would help us a lot to quickly debug this issue.

@anacrolix
Copy link
Contributor Author

I suspect the author of recent changes to crypto/tls client-side handshakes will be best equipped. I don't have the time at present to isolate any more than I have above.

@agnivade
Copy link
Contributor

/cc @FiloSottile

@FiloSottile
Copy link
Contributor

No need to isolate it further, but I will need more details to debug this. What's the config? What certificate? Is the server public? If the server is a Go server, what config and version?

@FiloSottile FiloSottile self-assigned this Nov 23, 2018
@anacrolix
Copy link
Contributor Author

var (
	confluenceTlsConfig = &tls.Config{
		// InsecureSkipVerify: true,
	}
	confluenceHttpTransport = &http.Transport{
		TLSClientConfig: confluenceTlsConfig,
	}
	confluenceHTTPClient = &http.Client{
		Transport: confluenceHttpTransport,
	}
)

func setPrivateConfluenceTlsConfig() {
	confluenceTlsConfig.ServerName = "localhost"
	// confluenceTlsConfig.MaxVersion = tls.VersionTLS12
	confluenceTlsConfig.RootCAs = func() *x509.CertPool {
		ret := x509.NewCertPool()
		b, err := ioutil.ReadFile("private.pem")
		expect.Nil(err)
		expect.Ok(ret.AppendCertsFromPEM(b))
		return ret
	}()
	confluenceTlsConfig.Certificates = func() []tls.Certificate {
		cert, err := tls.LoadX509KeyPair("private.pem", "private.pem")
		expect.Nil(err)
		return []tls.Certificate{cert}
	}()
}

private.pem is a self-signed certificate. The server is public, it's a Haskell warp-tls server. If I build the client side (in Go) with 1.11, it works fine. With go +ae65615 it does not. The failing call is a "golang.org/x/net/websocket".DialConfig with the above TLS config.

@FiloSottile
Copy link
Contributor

Thank you for the extra info! Can you share the address of the server so I can test it?

@anacrolix
Copy link
Contributor Author

You may run it yourself, it's https://github.com/anacrolix/transcoder. I believe you can just do stack run from the directory (with stack installed, Haskell entails). I'll also email you the private address of an instance. Thanks.

@andybons andybons added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Nov 26, 2018
@andybons andybons added this to the Go1.12 milestone Nov 26, 2018
@gopherbot
Copy link

Change https://golang.org/cl/151660 mentions this issue: crypto/tls: fix client certificates support for legacy servers

@anacrolix
Copy link
Contributor Author

This worked, thanks.

@golang golang locked and limited conversation to collaborators Dec 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. release-blocker
Projects
None yet
Development

No branches or pull requests

5 participants