New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: wrong private key used for SNI connections #3367
Labels
Comments
Yea, we do indeed use the wrong private key. Nobody has tried using SNI support before because not enough client support it, but we should fix it none the less. But I'll wait until after the initial Go 1 release. Labels changed: added priority-later, packagebug, removed priority-triage. Owner changed to @agl. Status changed to Accepted. |
I would like to see a callback based API that can change the tls.Config used per client. Something similar to this: https://gist.github.com/2161321 I believe this could be further simplified by removing tls.Config.NameToCertificate and tls.Config.BuildNameToCertificate, and switching tls.Config.Certificates back to tls.Config.Certificate tls.Certificate. This would be more inline with OpenSSL's SSL_CTX_set_tlsext_servername_callback API where the callback can return a SSL_CTX (analogous to tls.Config) or null, in which case it uses the existing SSL_CTX. |
There are plenty of odd cases where a callback can be nice (enabling client auth only on some hostnames etc), but the crypto libraries deliberately only aim to solve the 90% case. And I think the 90% case is that you have several certificates on the same IP and want to serve the right one. That doesn't preclude adding the callback in the future, but it would need a firm reason. If you're doing something odd then there's no shame in forking the code. |
This issue was closed by revision e6e8b72. Status changed to Fixed. |
agl
added a commit
that referenced
this issue
May 11, 2015
… key. ««« backport 6a2ea47583df crypto/tls: don't always use the default private key. When SNI based certificate selection is enabled, we previously used the default private key even if we selected a non-default certificate. Fixes #3367. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/5987058 »»»
FiloSottile
pushed a commit
to FiloSottile/go
that referenced
this issue
Oct 12, 2018
When SNI based certificate selection is enabled, we previously used the default private key even if we selected a non-default certificate. Fixes golang#3367. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/5987058
This issue was closed.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The text was updated successfully, but these errors were encountered: