Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/tls: require serverAuth if extendedKeyUsage on certificate #9000

Closed
gopherbot opened this issue Oct 25, 2014 · 2 comments
Closed

crypto/tls: require serverAuth if extendedKeyUsage on certificate #9000

gopherbot opened this issue Oct 25, 2014 · 2 comments
Labels
FrozenDueToAge
Milestone
Unplanned

Comments

@gopherbot
Copy link

by donald.stufft:

The tls library in go mandates that client certificates have extendedKeyUsage that
contains a clientAuth. However it does not do the same for serverAuth. Ideally it would
do this check anytime there is an extendedKeyUsage extension on the certificate.
@gopherbot gopherbot added the new label Oct 25, 2014
@bradfitz bradfitz removed the new label Dec 18, 2014
@rsc
Copy link
Contributor

rsc commented Apr 10, 2015

@agl, thoughts?

@rsc rsc changed the title crypto/tls: Require serverAuth if extendedKeyUsage on certificate crypto/tls: require serverAuth if extendedKeyUsage on certificate Apr 10, 2015
@rsc rsc added this to the Go1.5Maybe milestone Apr 10, 2015
@agl agl self-assigned this Apr 12, 2015
@agl
Copy link
Contributor

agl commented Apr 12, 2015

handshake_client.go doesn't set the KeyUsages member of x509.VerifyOptions. That means that the default behaviour takes effect, which is to require ExtKeyUsageServerAuth down the chain. (Although MS and Netscape SGC usages are accepted as equal to ServerAuth in order to support certificates in the wild.)

If you think that this isn't working, that would be a bug, but it's supposed to.

@agl agl closed this as completed Apr 12, 2015
@mikioh mikioh modified the milestones: Unplanned, Go1.5Maybe Apr 14, 2015
@golang golang locked and limited conversation to collaborators Jun 25, 2016
@rsc rsc unassigned agl Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
5 participants
@bradfitz @agl @mikioh @rsc @gopherbot