Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: Extend to allow client certificate authentication for HTTPS? #11802

Closed
ghost opened this issue Jul 21, 2015 · 5 comments

Comments

Projects
None yet
2 participants
@ghost
Copy link

commented Jul 21, 2015

I suggest that it might be quite nice to extend the standard library for HTTPS servers to be able to easily specify client certificates for use in authentication of connections. If this is already possible, I have not found the necessary documentation to assist in that end, but an API exposure of this sort would be quite nice!

@bradfitz

This comment has been minimized.

Copy link
Member

commented Jul 21, 2015

Use make your own *http.Client with its own *http.Transport as the RoundTripper and set net/http.Transport.Dial to use crypto/tls.Dial with a *tls.Config which includes Certificates.

We probably won't make this any easier, as it's an uncommon request and already composeable with the pieces provided.

@bradfitz bradfitz closed this Jul 21, 2015

@ghost

This comment has been minimized.

Copy link
Author

commented Jul 21, 2015

I'm sorry if I wasn't clear enough, but I did specify that this was for the server-side. Not client. (As in, the Go HTTPS server library being able to authenticate connecting clients).

Though after some digging it looks like it can possibly be modified here where the config is specified.

Combined with some of the logic pulled from here

You may want to spend a few extra seconds reading the issue before closing it next time, hmm?

@bradfitz

This comment has been minimized.

Copy link
Member

commented Jul 21, 2015

Sorry. Can't you just check the request.TLS field to see the cert presented?

@ghost

This comment has been minimized.

Copy link
Author

commented Jul 21, 2015

Yeah, looks like I can. In this bit of code, however, it looks like the config is built with the client authentication in mind. In ListenAndServeTLS, there is this where the configuration is passed in. I could see a function like:

http.ListenAndServeTLSAuth(":8080", nil, "clientcerts.pem")

... being something that could be useful with little modification needed to add the extra step to specify:

config.ClientAuth = tls.RequireAndVerifyClientCert
@ghost

This comment has been minimized.

Copy link
Author

commented Jul 21, 2015

Looks like this too suffices:

package main

import (
    "crypto/tls"
    "fmt"
    "net/http"
)

func main() {
    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        fmt.Fprintf(w, "Hello cert")
    })

    server := &http.Server{
        Addr: ":8090",
        TLSConfig: &tls.Config{
            ClientAuth: tls.RequireAndVerifyClientCert,
        },
    }

    server.ListenAndServeTLS("cert.pem", "cert.key")
}

@golang golang locked and limited conversation to collaborators Jul 20, 2016

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.