Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: client tls 1.3 handshake doesn't return bad certificate error #56371

Closed
kayrus opened this issue Oct 21, 2022 · 3 comments
Closed

Comments

@kayrus
Copy link

kayrus commented Oct 21, 2022

What version of Go are you using (go version)?

$ go version
go version go1.19.2 linux/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="~/.cache/go-build"
GOENV="~/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="~/go/pkg/mod"
GOOS="linux"
GOPATH="~/go"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="~/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="~/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.19.2"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="~/tmp/tlsv13-bug/go.mod"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2371020500=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I'm trying to verify expired client TLS certificate on the client side using Handshake() method, but it returns nothing.

What did you expect to see?

I expect to get bad certificate error returned by Handshake() method on the client side.

What did you see instead?

Handshake() is called w/o error and I get bad certificate error only once client starts sending data over established TLSv1.3 connection. I created a test case showing that TLSv1.3 doesn't work as expected, while TLSv1.2 works as expected.

https://gist.github.com/kayrus/096e129bd4f6a5cf9f41bff06c7eeb83

Result:

$ go run .
2022/10/21 15:49:43.321628 CLIENT: calling: TLSv1.2
2022/10/21 15:49:43.324478 SERVER: tls handshake failed: tls: failed to verify client certificate: x509: certificate has expired or is not yet valid: current time 2022-10-21T15:49:43+02:00 is after 2022-10-21T10:51:46Z
2022/10/21 15:49:43.324501 CLIENT: TLS client Handshake failed: remote error: tls: bad certificate
2022/10/21 15:49:43.324517 CLIENT: calling: TLSv1.3
2022/10/21 15:49:43.327171 SERVER: tls handshake failed: tls: failed to verify client certificate: x509: certificate has expired or is not yet valid: current time 2022-10-21T15:49:43+02:00 is after 2022-10-21T10:51:46Z
2022/10/21 15:49:43.327184 CLIENT: ERROR: server must return a handshake error
exit status 1
@kayrus kayrus changed the title crypto/tls: tls 1.3 handshake doesn't check client certificate crypto/tls: client tls 1.3 handshake doesn't return bad certificate error Oct 21, 2022
@rittneje
Copy link

https://tip.golang.org/doc/go1.12#tls_1_3

In TLS 1.3 the client is the last one to speak in the handshake, so if it causes an error to occur on the server, it will be returned on the client by the first Read, not by Handshake. For example, that will be the case if the server rejects the client certificate.

@seankhliao
Copy link
Member

See above, closing as working as intended.

@seankhliao seankhliao closed this as not planned Won't fix, can't repro, duplicate, stale Oct 24, 2022
@sku0x20
Copy link

sku0x20 commented Jun 22, 2023

why it's so complicate :(
can we mention this somewhere explicitly in docs, pls... 🥺

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants