Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls.Config.VerifyPeerCertificate should have serverHandshakeState or tls.Conn argument #29895

Closed
LivingInSyn opened this issue Jan 23, 2019 · 5 comments
Closed

tls.Config.VerifyPeerCertificate should have serverHandshakeState or tls.Conn argument #29895

LivingInSyn opened this issue Jan 23, 2019 · 5 comments
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Milestone
Go1.13

Comments

@LivingInSyn
Copy link

What version of Go are you using (go version)?

go version go1.11 windows/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\[redacted]\AppData\Local\go-build
set GOEXE=.exe
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOOS=windows
set GOPATH=C:\Users\[redacted]\go
set GOPROXY=
set GORACE=
set GOROOT=C:\Go
set GOTMPDIR=
set GOTOOLDIR=C:\Go\pkg\tool\windows_amd64
set GCCGO=gccgo
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\[redacted]\AppData\Local\Temp\go-build046823206=/tmp/go-build -gno-record-gcc-switches

What did you do?

I want to be able to validate a client certificate's hostname on a TLS server with ClientAuth: tls.RequireAndVerifyClientCert, set on the server tls.Config by using the VerifyPeerCertificate method.

What did you expect to see?

I expected the serverHandshakeState or tls.Conn from the serverHandshakeState to be passed to the VerifyPeerCertificate method

What did you see instead?

No connection information is passed to the VerifyPeerCertificate method
@FiloSottile
Copy link
Contributor

Which information from tls.Conn do you need?

@FiloSottile FiloSottile added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Jan 23, 2019
@FiloSottile FiloSottile added this to the Go1.13 milestone Jan 23, 2019
@LivingInSyn
Copy link
Author

the client IP address would be sufficient. I want to compare the connecting IP to the IP in the client certificate SAN field

@FiloSottile
Copy link
Contributor

It's not the easiest thing, but you can use GetConfigForClient to set VerifyPeerCertificate to a closure that has access to the ClientHelloInfo passed to GetConfigForClient.

tls.Config already has too many callbacks, so if something is doable with GetConfigForClient I don't want to add a new helper one. I'd be happy to hear feedback on how to make the docs more helpful though.

@LivingInSyn
Copy link
Author

I can make that work, but is that more efficient/better than changing the method signature for VerifyPeerCertificate from:

VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error

to

VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate, conn *Conn) error

Either way, I appreciate your help and your time

@FiloSottile
Copy link
Contributor

We can't change exported signatures to respect the Go 1 Compatibility Promise.

@golang golang locked and limited conversation to collaborators Jan 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
Go1.13
Development

No branches or pull requests
3 participants
@FiloSottile @LivingInSyn @gopherbot