Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/tls: clientHandshake does not properly select the cert to send when len(certReq.certificateAuthorities) != 0 #6380

Closed
gopherbot opened this issue Sep 13, 2013 · 2 comments
Closed

crypto/tls: clientHandshake does not properly select the cert to send when len(certReq.certificateAuthorities) != 0 #6380

gopherbot opened this issue Sep 13, 2013 · 2 comments
Labels
FrozenDueToAge

Comments

@gopherbot
Copy link

by andrew@spacemonkey.com:

What steps will reproduce the problem?
1.  Create a cert chain where A -> B -> C (A signs B signs C)
2.  Start an https server which asks for A in its cert request during handshake
3.  Create an https client which loads C, then B into its tls.Certificate
4.  Connect the client to the server

What is the expected output?
clientHandshake() should present certificate C (the leaf) by identifying that C is
signed by B and B is signed by A, which matches the request.

What do you see instead?
An empty cert is presented.

Which compiler are you using (5g, 6g, 8g, gccgo)?
6g

Which operating system are you using?
Debian wheezy

Which version are you using?  (run 'go version')
go version 1.1

Please provide any additional information below.
Assume you have the following chain of trust:  A -> B -> C, where A signs B signs
C.  During the handshake, the remote end sends a certificate request with A in its
certificateAuthorities.  The client side tls.Certificate structure has C and then B (so
that C will be properly identified as the leaf). When clientHandshake() runs, it
discards C as a candidate (since the issuer is B, which is not A) and then also discards
B since it again compares the leaf issuer to A.  The result is that an empty certificate
is sent and the handshake fails.
@lukescott
Copy link

Comment 1:

I think this might be related to https://golang.org/issue/5390 ,
and may already be fixed.
You should try with tip (http://golang.org/doc/install/source, use "default" branch).
You can build it in ~/go and setup an alias like "gotip" if you want both on your system.

@rsc
Copy link
Contributor

rsc commented Oct 18, 2013

Comment 2:

Please file a new issue mentioning this one if you can still reproduce the bug at tip.
And please include a complete program that demonstrates the problem.

Status changed to TimedOut.

@golang golang locked and limited conversation to collaborators Jun 25, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rsc @lukescott @gopherbot