Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: Client cert auth with TLSClientConfig Certificates is not working while using GetCertificates works #34258

Closed
stlaz opened this issue Sep 12, 2019 · 2 comments
Closed

net/http: Client cert auth with TLSClientConfig Certificates is not working while using GetCertificates works #34258

stlaz opened this issue Sep 12, 2019 · 2 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.

Comments

@stlaz
Copy link

stlaz commented Sep 12, 2019

What version of Go are you using (go version)?

$ go version
go version go1.13 linux/amd64

Does this issue reproduce with the latest release?

it does reproduce with the latest Go version in Arch which usually corresponds to the latest release

What operating system and processor architecture are you using (go env)?

go env Output
$ uname -ar
Linux some-hostname 5.2.13-arch1-1-ARCH #1 SMP PREEMPT Fri Sep 6 17:52:33 UTC 2019 x86_64 GNU/Linux
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN="/home/__redacted__/go/bin"
GOCACHE="/home/__redacted__/.cache/go-build"
GOENV="/home/__redacted__/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/__redacted__/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build789481132=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I was writing a simple client with client cert authentication. My server allows for this kind of auth along with other possible authentication options. I followed the docs by specifying the Certificates field for the transport's TLSClientConfig as so:

https://play.golang.org/p/il0hsOJ-3UG

In this case, however, the cert and key were ignored for the authentication and since the server handles unauthenticated requests by redirecting somewhere else, this redirect indeed happened.

When I changed setting the Certificates field to instead use the GetClientCertificates, stuff started working and my server was correctly reacting to my client cert authentication attempts. The new, working code:

https://play.golang.org/p/llosiOPNNGe

What did you expect to see?

I expected the Certificates field to be still working for client cert auth

What did you see instead?

cert/key pair were ignored, no client auth was attempted
@odeke-em
Copy link
Member

Thank you for the report @stlaz and welcome to the Go project!

Kindly pinging a crypto expert @FiloSottile to take a look since this involves an interactions
between net/http and crypto/tls.

@odeke-em odeke-em added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Sep 14, 2019
@odeke-em odeke-em changed the title net/http: Client cert authentication with Certificates field is not working net/http: Client cert auth with TLSClientConfig Certificates is not working while using GetCertificates works Sep 14, 2019
@stlaz
Copy link
Author

stlaz commented Oct 22, 2019

I think I found an issue in our server which behaves quite extraordinarily and won't properly advertise all the CA names for client cert authentication.

This explains why forcing certain client certs in GetClientCertificates() will make the auth pass.

Therefore this is not a bug. Sorry!

@stlaz stlaz closed this as completed Oct 22, 2019
@golang golang locked and limited conversation to collaborators Oct 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stlaz @odeke-em @gopherbot