Track tasks and feature requests
Join 40 million developers who use GitHub issues to help identify, assign, and keep track of the features and bug fixes your projects need.
Sign up for free See pricing for teams and enterprisesproposal: crypto/tls: provide a way to access local certificate used to set up a connection #24673
Comments
This comment has been minimized.
This comment has been minimized.
I'll have to check if it would mess with 1.3, and think how to bundle chains, but I can see us adding |
This comment has been minimized.
This comment has been minimized.
Discussed with @agl and @FiloSottile about potentially adding
but trying to understand the motivation a bit more. Compelling use cases would help with justification. |
This comment has been minimized.
This comment has been minimized.
We have a specific use case in grpc channelz feature. It presents to users the current state of a connection, including the info about what's the local/remote certificate has been used. Users may use it to figure out what's the identity it presents to the peer, how long local certificate will last before expired, etc. Moreover, channel trace could record local certificates tried and failed before, which may be helpful for diagnosing problematic setup. |
This comment has been minimized.
This comment has been minimized.
Thanks for elaborating. Is a @agl I just saw this in the docs, what am I missing about TLS 1.3 that can lead to multiple client certs?
|
This comment has been minimized.
This comment has been minimized.
Sorry about the delay in response.
And yes, collocating local certificate with remote certificate in the Thank you. |
While TLS provides ConnectionState() to share some connection security info, like remote certificate (
PeerCertificates
), it lacks the info about local certificate used to set up a connection. And it's not always possible to predict local certificate used as the selection depends on the remote end requirements.Exposing the local certificate would be very helpful for debugging connection issues, for example, user may find certificate getter returns suboptimal certificate, which may be expiring soon or having a long verification chain. Moreover, it will also enable collecting certificate usage statistics, which could be valuable for service owners.
@FiloSottile Thanks!