Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: allow choosing ClientAuth (and others?) based on SNI #15707

Closed
FiloSottile opened this issue May 16, 2016 · 6 comments
Closed

crypto/tls: allow choosing ClientAuth (and others?) based on SNI #15707

FiloSottile opened this issue May 16, 2016 · 6 comments

Comments

@FiloSottile
Copy link
Member

@FiloSottile FiloSottile commented May 16, 2016

tls.Config.ClientAuth is global per server, however there's no reason it shouldn't be a func(clientHello *ClientHelloInfo) (ClientAuthType, *x509.CertPool). See example use case in caddyserver/caddy#829.

On the other hand, the same can be said about NextProtos (already a desired feature, to have HTTP/2 enabled only on some hosts, caddyserver/caddy#189), CipherSuites, SessionTicketKey, ClientSessionCache, CurvePreferences...

I suspect some of them have issues open about them already, but couldn't find them.

@danp

This comment has been minimized.

Copy link
Contributor

@danp danp commented May 17, 2016

Probably related to #15699.

@groob

This comment has been minimized.

Copy link
Contributor

@groob groob commented Jun 12, 2016

The ability to do this in a Go application would be great for internet facing services. Currently it's relatively easy to support Let's Encrypt, but this limitation requires us to go back to using HAProxy.

My application bundles a SCEP server to issue client certificates and then requires the client to provide the cert at another SNI. Currently it's impossible to do both in a single Go server without using two separate ports.

@agl

This comment has been minimized.

Copy link
Contributor

@agl agl commented Jul 11, 2016

I hope to spend a week working on Go in the 1.8 cycle and to address this.

@danp

This comment has been minimized.

Copy link
Contributor

@danp danp commented Aug 16, 2016

Noticed title prefix of this issue has a typo: crpyto -> crypto

@bradfitz bradfitz changed the title crpyto/tls: allow choosing ClientAuth (and others?) based on SNI crypto/tls: allow choosing ClientAuth (and others?) based on SNI Aug 16, 2016
@bradfitz

This comment has been minimized.

Copy link
Contributor

@bradfitz bradfitz commented Sep 29, 2016

See #16066 for a related issue and my comment #16066 (comment) for one idea.

@quentinmit quentinmit added the NeedsFix label Oct 10, 2016
@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Oct 16, 2016

CL https://golang.org/cl/30790 mentions this issue.

@gopherbot gopherbot closed this in cff3e75 Oct 18, 2016
@golang golang locked and limited conversation to collaborators Oct 18, 2017
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
GetConfigForClient allows the tls.Config to be updated on a per-client
basis.

Fixes golang#16066.
Fixes golang#15707.
Fixes golang#15699.

Change-Id: I2c675a443d557f969441226729f98502b38901ea
Reviewed-on: https://go-review.googlesource.com/30790
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
GetConfigForClient allows the tls.Config to be updated on a per-client
basis.

Fixes golang#16066.
Fixes golang#15707.
Fixes golang#15699.

Change-Id: I2c675a443d557f969441226729f98502b38901ea
Reviewed-on: https://go-review.googlesource.com/30790
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants
You can’t perform that action at this time.