You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to verify expired client TLS certificate on the client side using Handshake() method, but it returns nothing.
What did you expect to see?
I expect to get bad certificate error returned by Handshake() method on the client side.
What did you see instead?
Handshake() is called w/o error and I get bad certificate error only once client starts sending data over established TLSv1.3 connection. I created a test case showing that TLSv1.3 doesn't work as expected, while TLSv1.2 works as expected.
$ go run .
2022/10/21 15:49:43.321628 CLIENT: calling: TLSv1.2
2022/10/21 15:49:43.324478 SERVER: tls handshake failed: tls: failed to verify client certificate: x509: certificate has expired or is not yet valid: current time 2022-10-21T15:49:43+02:00 is after 2022-10-21T10:51:46Z
2022/10/21 15:49:43.324501 CLIENT: TLS client Handshake failed: remote error: tls: bad certificate
2022/10/21 15:49:43.324517 CLIENT: calling: TLSv1.3
2022/10/21 15:49:43.327171 SERVER: tls handshake failed: tls: failed to verify client certificate: x509: certificate has expired or is not yet valid: current time 2022-10-21T15:49:43+02:00 is after 2022-10-21T10:51:46Z
2022/10/21 15:49:43.327184 CLIENT: ERROR: server must return a handshake error
exit status 1
The text was updated successfully, but these errors were encountered:
kayrus
changed the title
crypto/tls: tls 1.3 handshake doesn't check client certificate
crypto/tls: client tls 1.3 handshake doesn't return bad certificate error
Oct 21, 2022
In TLS 1.3 the client is the last one to speak in the handshake, so if it causes an error to occur on the server, it will be returned on the client by the first Read, not by Handshake. For example, that will be the case if the server rejects the client certificate.
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
I'm trying to verify expired client TLS certificate on the client side using
Handshake()
method, but it returns nothing.What did you expect to see?
I expect to get
bad certificate
error returned byHandshake()
method on the client side.What did you see instead?
Handshake()
is called w/o error and I getbad certificate
error only once client starts sending data over established TLSv1.3 connection. I created a test case showing that TLSv1.3 doesn't work as expected, while TLSv1.2 works as expected.https://gist.github.com/kayrus/096e129bd4f6a5cf9f41bff06c7eeb83
Result:
The text was updated successfully, but these errors were encountered: