New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls.Config.VerifyPeerCertificate should have serverHandshakeState or tls.Conn argument #29895

Closed
LivingInSyn opened this Issue Jan 23, 2019 · 5 comments

Comments

Projects
None yet
2 participants
@LivingInSyn
Copy link

LivingInSyn commented Jan 23, 2019

What version of Go are you using (go version)?

go version go1.11 windows/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\[redacted]\AppData\Local\go-build
set GOEXE=.exe
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOOS=windows
set GOPATH=C:\Users\[redacted]\go
set GOPROXY=
set GORACE=
set GOROOT=C:\Go
set GOTMPDIR=
set GOTOOLDIR=C:\Go\pkg\tool\windows_amd64
set GCCGO=gccgo
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\[redacted]\AppData\Local\Temp\go-build046823206=/tmp/go-build -gno-record-gcc-switches

What did you do?

I want to be able to validate a client certificate's hostname on a TLS server with ClientAuth: tls.RequireAndVerifyClientCert, set on the server tls.Config by using the VerifyPeerCertificate method.

What did you expect to see?

I expected the serverHandshakeState or tls.Conn from the serverHandshakeState to be passed to the VerifyPeerCertificate method

What did you see instead?

No connection information is passed to the VerifyPeerCertificate method

@FiloSottile

This comment has been minimized.

Copy link
Member

FiloSottile commented Jan 23, 2019

Which information from tls.Conn do you need?

@FiloSottile FiloSottile added this to the Go1.13 milestone Jan 23, 2019

@LivingInSyn

This comment has been minimized.

Copy link
Author

LivingInSyn commented Jan 23, 2019

the client IP address would be sufficient. I want to compare the connecting IP to the IP in the client certificate SAN field

@FiloSottile

This comment has been minimized.

Copy link
Member

FiloSottile commented Jan 23, 2019

It's not the easiest thing, but you can use GetConfigForClient to set VerifyPeerCertificate to a closure that has access to the ClientHelloInfo passed to GetConfigForClient.

tls.Config already has too many callbacks, so if something is doable with GetConfigForClient I don't want to add a new helper one. I'd be happy to hear feedback on how to make the docs more helpful though.

@LivingInSyn

This comment has been minimized.

Copy link
Author

LivingInSyn commented Jan 23, 2019

I can make that work, but is that more efficient/better than changing the method signature for VerifyPeerCertificate from:

VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error

to

VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate, conn *Conn) error

Either way, I appreciate your help and your time

@FiloSottile

This comment has been minimized.

Copy link
Member

FiloSottile commented Jan 23, 2019

We can't change exported signatures to respect the Go 1 Compatibility Promise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment