crypto/tls: client auth failure alert codes can be improved #52113
Comments
|
I actually have this fixed already in a fork of mine, you can view it here: master...anitgandhi:improve-client-auth-alerts But, I wanted to just quickly have a discussion to here to ensure the maintainers are open to changing this behavior. If folks are open to fixing this, I'll be happy to open a PR/CL from my branch linked above. Thanks in advance! |
|
Perhaps this requires a separate issue or discussion, but I would have also liked to take advantage of the I know I imagine the sentinel error part could be done by extending the existing if c.config.VerifyPeerCertificate != nil {
if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
var errCertificateInvalid x509.CertificateInvalidError
var alert alert
if errors.As(err, &errCertificateInvalid) && errCertificateInvalid.Reason == x509.Revoked {
alert = alertCertificateRevoked
} else {
alert = alertBadCertificate
}
c.sendAlert(alert)
return err
}
} |
|
/cc @FiloSottile |
cherrymui
added
the
NeedsDecision
|
sorry for the ping on this folks, any thoughts? i wanted to try and get this in before the 1.19 dev freeze, if possible. |
|
CC @golang/security |
|
Change https://go.dev/cl/410496 mentions this issue: |
|
Hey, sorry for the lag. The main portion of this (returning the more specific alerts) seems reasonable. We're currently in the 1.19 freeze, so we'll have to wait for 1.20 to get this in (the tree should re-open in August.) |
|
@rolandshoemaker no problem, and sounds good. I went ahead and opened the CL; is it ok to just leave it as-is until August, or should I close it out? |
|
Yup leave it open and I'll give it a review, and once the tree opens we can submit it. |
|
Hi @rolandshoemaker , just a friendly ping on this/the CL now that the tree has been opened for 1.20. Thanks in advance! |
|
Sorry for the long wait, left a comment on the CL. |
|
@rolandshoemaker 👋 I've resolved the comment on the CL; any chance this could still make it in for 1.20? |
|
Hi @rolandshoemaker , Happy New Year! It would be a huge help for our organization when debugging mTLS errors |
dmitshur
added
NeedsFix
…cation alerts For golang#52113 For golang#58645
|
Change https://go.dev/cl/505436 mentions this issue: |
…cation alerts For golang#52113 For golang#58645
…cation alerts For #52113 For #58645 Change-Id: Id7dff2570132588da95fb4216a86faf34fa2cbdc GitHub-Last-Rev: 94eabfe GitHub-Pull-Request: #60972 Reviewed-on: https://go-review.googlesource.com/c/go/+/505436 Run-TryBot: Roland Shoemaker <roland@golang.org> Auto-Submit: Roland Shoemaker <roland@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>
What version of Go are you using (
go version)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env)?go envOutputWhat did you do?
ClientAuthTypeconfiguration higher thanRequestClientCert. This could be an HTTPS server, gRPC, etc.curl,openssl s_client, etc and provide an invalid client certificate.What did you expect to see?
I'd like to see one of the more meaningful TLS alerts that RFC 5246 (TLSv1.2) or RFC 8446 (TLSv1.3) define. Namely:
certificate_requiredwhen the server is configured withtls.RequireAnyClientCertortls.RequireAndVerifyClientCert, and the client doesn't provide any client certcertificate_expiredwhen the client provides a client cert but it's expired (or not yet valid)unknown_cawhen the client provides a client cert but it's not signed by an authority that the Go TLS server is configured to require.What did you see instead?
TLS alert
bad_certificateis always returned, which is often confusing to end users because it doesn't surface enough information to quickly find out if/how they can fix their client certificate.The text was updated successfully, but these errors were encountered: