Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/tls: do not require extended key usage extension #5987

Closed
gopherbot opened this issue Jul 29, 2013 · 8 comments
Closed

crypto/tls: do not require extended key usage extension #5987

gopherbot opened this issue Jul 29, 2013 · 8 comments
Labels
FrozenDueToAge Thinking
Milestone
Unplanned

Comments

@gopherbot
Copy link

by jtolds:

Currently, Go's server TLS implementation requires clientAuth extendedKeyUsage on any
client certificate when client verification is enabled, with no way to turn it off and
still have client certificate verification. (handshake_server.go, processCertsFromClient)

However, from RFC5280:

"Certificate using applications MAY require that the extended key usage extension
be present and that a particular purpose be indicated in order for the certificate to be
acceptable to that application."

This says to me that a specific application should be able to choose this behavior, not
have it be forced on them by the TLS library.

Specifically, OpenSSL does *not* require this.

Can we make this optional, or perhaps only require the clientAuth extendedKeyUsage iff
the extendedKeyUsage field is actually used and not the default empty? Or even better,
support verify callbacks like OpenSSL or GnuTLS?
@rsc
Copy link
Contributor

rsc commented Jul 30, 2013

Comment 1:

Labels changed: added priority-later, go1.2maybe, removed priority-triage.

Status changed to Thinking.

@rsc
Copy link
Contributor

rsc commented Jul 30, 2013

Comment 2:

Labels changed: added feature.

@robpike
Copy link
Contributor

robpike commented Aug 30, 2013

Comment 3:

Not for 1.2.

Labels changed: removed go1.2maybe.

@rsc
Copy link
Contributor

rsc commented Nov 27, 2013

Comment 4:

Labels changed: added go1.3maybe.

@rsc
Copy link
Contributor

rsc commented Nov 27, 2013

Comment 5:

Labels changed: removed feature.

@rsc
Copy link
Contributor

rsc commented Dec 4, 2013

Comment 6:

Labels changed: added release-none, removed go1.3maybe.

@rsc
Copy link
Contributor

rsc commented Dec 4, 2013

Comment 7:

Labels changed: added repo-main.

@rsc rsc added this to the Unplanned milestone Apr 10, 2015
@FiloSottile
Copy link
Contributor

Go likes to be strict wherever possible, and this is not causing widespread issues. It can also now be overridden by VerifyPeerCertificate. Closing.

@golang golang locked and limited conversation to collaborators Jul 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge Thinking
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
4 participants
@rsc @FiloSottile @robpike @gopherbot