Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: Client-side certificate doesn't work with tip #28925

Closed
anacrolix opened this issue Nov 23, 2018 · 9 comments
Closed

crypto/tls: Client-side certificate doesn't work with tip #28925

anacrolix opened this issue Nov 23, 2018 · 9 comments

Comments

@anacrolix
Copy link
Contributor

@anacrolix anacrolix commented Nov 23, 2018

What version of Go are you using (go version)?

$ go version
go version devel +ae65615 Wed Nov 21 00:10:38 2018 +0000 linux/amd6

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOHOSTARCH="amd64"
GOHOSTOS="linux"

What did you do?

A tls.Config containing a single client-side certificate fails with remote error: unknown certificate on the recent go version. With release (1.11), this doesn't happen. Setting tls max version 1.2 doesn't seem to help. May be related to #28779.

@agnivade

This comment has been minimized.

Copy link
Contributor

@agnivade agnivade commented Nov 23, 2018

Hi @anacrolix - Can you provide us with a reproducible code sample ? It would help us a lot to quickly debug this issue.

@anacrolix

This comment has been minimized.

Copy link
Contributor Author

@anacrolix anacrolix commented Nov 23, 2018

I suspect the author of recent changes to crypto/tls client-side handshakes will be best equipped. I don't have the time at present to isolate any more than I have above.

@agnivade

This comment has been minimized.

Copy link
Contributor

@agnivade agnivade commented Nov 23, 2018

@FiloSottile

This comment has been minimized.

Copy link
Member

@FiloSottile FiloSottile commented Nov 23, 2018

No need to isolate it further, but I will need more details to debug this. What's the config? What certificate? Is the server public? If the server is a Go server, what config and version?

@FiloSottile FiloSottile self-assigned this Nov 23, 2018
@anacrolix

This comment has been minimized.

Copy link
Contributor Author

@anacrolix anacrolix commented Nov 23, 2018

var (
	confluenceTlsConfig = &tls.Config{
		// InsecureSkipVerify: true,
	}
	confluenceHttpTransport = &http.Transport{
		TLSClientConfig: confluenceTlsConfig,
	}
	confluenceHTTPClient = &http.Client{
		Transport: confluenceHttpTransport,
	}
)

func setPrivateConfluenceTlsConfig() {
	confluenceTlsConfig.ServerName = "localhost"
	// confluenceTlsConfig.MaxVersion = tls.VersionTLS12
	confluenceTlsConfig.RootCAs = func() *x509.CertPool {
		ret := x509.NewCertPool()
		b, err := ioutil.ReadFile("private.pem")
		expect.Nil(err)
		expect.Ok(ret.AppendCertsFromPEM(b))
		return ret
	}()
	confluenceTlsConfig.Certificates = func() []tls.Certificate {
		cert, err := tls.LoadX509KeyPair("private.pem", "private.pem")
		expect.Nil(err)
		return []tls.Certificate{cert}
	}()
}

private.pem is a self-signed certificate. The server is public, it's a Haskell warp-tls server. If I build the client side (in Go) with 1.11, it works fine. With go +ae65615 it does not. The failing call is a "golang.org/x/net/websocket".DialConfig with the above TLS config.

@FiloSottile

This comment has been minimized.

Copy link
Member

@FiloSottile FiloSottile commented Nov 24, 2018

Thank you for the extra info! Can you share the address of the server so I can test it?

@anacrolix

This comment has been minimized.

Copy link
Contributor Author

@anacrolix anacrolix commented Nov 24, 2018

You may run it yourself, it's https://github.com/anacrolix/transcoder. I believe you can just do stack run from the directory (with stack installed, Haskell entails). I'll also email you the private address of an instance. Thanks.

@andybons andybons added this to the Go1.12 milestone Nov 26, 2018
@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Nov 29, 2018

Change https://golang.org/cl/151660 mentions this issue: crypto/tls: fix client certificates support for legacy servers

@gopherbot gopherbot closed this in d8ce141 Nov 30, 2018
@anacrolix

This comment has been minimized.

Copy link
Contributor Author

@anacrolix anacrolix commented Dec 3, 2018

This worked, thanks.

@golang golang locked and limited conversation to collaborators Dec 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.