net/http: Extend to allow client certificate authentication for HTTPS?

I suggest that it might be quite nice to extend the standard library for HTTPS servers to be able to easily specify client certificates for use in authentication of connections. If this is already possible, I have not found the necessary documentation to assist in that end, but an API exposure of this sort would be quite nice!

[bradfitz]

Use make your own *http.Client with its own *http.Transport as the RoundTripper and set net/http.Transport.Dial to use crypto/tls.Dial with a *tls.Config which includes Certificates.

We probably won't make this any easier, as it's an uncommon request and already composeable with the pieces provided.

I'm sorry if I wasn't clear enough, but I did specify that this was for the server-side. Not client. (As in, the Go HTTPS server library being able to authenticate connecting clients).

Though after some digging it looks like it can possibly be modified here where the config is specified.

Combined with some of the logic pulled from here

You may want to spend a few extra seconds reading the issue before closing it next time, hmm?

[bradfitz]

Sorry. Can't you just check the request.TLS field to see the cert presented?

Yeah, looks like I can. In this bit of code, however, it looks like the config is built with the client authentication in mind. In ListenAndServeTLS, there is this where the configuration is passed in. I could see a function like:

http.ListenAndServeTLSAuth(":8080", nil, "clientcerts.pem")

... being something that could be useful with little modification needed to add the extra step to specify:

config.ClientAuth = tls.RequireAndVerifyClientCert

Looks like this too suffices:

package main

import (
    "crypto/tls"
    "fmt"
    "net/http"
)

func main() {
    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        fmt.Fprintf(w, "Hello cert")
    })

    server := &http.Server{
        Addr: ":8090",
        TLSConfig: &tls.Config{
            ClientAuth: tls.RequireAndVerifyClientCert,
        },
    }

    server.ListenAndServeTLS("cert.pem", "cert.key")
}