Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: handshake_client.go compares RawIssuer to leaf #5390

lukescott opened this issue May 2, 2013 · 3 comments

crypto/tls: handshake_client.go compares RawIssuer to leaf #5390

lukescott opened this issue May 2, 2013 · 3 comments


Copy link

Line 207 compares RawIssuer to the Leaf:

When you have an Intermediate CA this fails. The RawIssuer should be compared to the
"Head" certificate, not the "Leaf". Line 207 should be:

if leaf, err = x509.ParseCertificate(cert.Certificate[len(cert.Certificate)-1]); err !=
nil {

Assuming the chain looks like this:

Root CA -> Intermediate CA -> Client Cert

The server has the "Root CA" in tls.Config.ClientCAs. The client has
"Client Cert | Intermediate CA" concated in the same file, loaded with
tls.LoadX509KeyPair (which ensures index 0, "Client Cert", matches the private
key, as it should).
Copy link

Comment 1:

It looks like this issue would be fixed with

Copy link

rsc commented Jul 30, 2013

Comment 2:

Labels changed: added priority-later, go1.2, removed priority-triage.

Status changed to Accepted.

Copy link

agl commented Jul 30, 2013

Comment 3:

Sorry for not seeing this sooner. I believe that the report is correct and that it was
fixed by 64a3ac450b0d, as noted in #1.

Owner changed to @agl.

Status changed to Fixed.

@rsc rsc added this to the Go1.2 milestone Apr 14, 2015
@rsc rsc removed the go1.2 label Apr 14, 2015
@golang golang locked and limited conversation to collaborators Jun 24, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet

No branches or pull requests

4 participants