Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
crypto/tls: TLS 1.3 with tls.RequireAndVerifyClientCert not work with mac os 10.12 and chrome 71 at tip #29831
What version of Go are you using (
changed the title
net/http: tls1.3 with tls.RequireAndVerifyClientCert not work with mac os 10.12 and chrome 71 at tip
Jan 22, 2019
My self signed CA and client certificate is created with golang x509.CreateCertificate with 4th argument rsa 2048bit public key, and 5th argument rsa 2048bit private key.
As the tls1.3 with tls.RequireAndVerifyClientCert is work in mac os 10.13.6 and chrome 71. I do not think the certificate key type and bit size is the problem.
Client certificates worked correctly with Chrome 72 and macOS 10.14, and the following code: https://play.golang.org/p/hGgDNOal0XK
What I think is going on is that macOS 10.12 does not support RSA-PSS, which is required by TLS 1.3. I don't have a Sierra machine to confirm, but the
This is consistent with everything you mentioned: it works on 10.13 because they added RSA-PSS, it works with TLS 1.2 because it doesn't require RSA-PSS, it works with Safari because on Sierra it doesn't do TLS 1.3, and it works without
That means you just can't have browser client certificates and TLS 1.3 on Sierra.
We also can't detect the case and disable TLS 1.3 automatically because that would introduce a downgrade vulnerability for all clients, and Chrome would kill the connection upon seeing the downgrade canary (search for "downgrade" in Section 4.1.3). (Unless of course we turned the canary off, but that would defeat a major security property of TLS 1.3, and no other TLS library plans to do that long term.)
That would be a tradeoff decision for the Chrome team, as then any attacker that wants to downgrade a connection could ask for a client certificate, and it would require cancelling the TLS 1.3 handshake and restarting. You can raise it with them in their issue tracker if you want.