crypto/tls: handshake_client.go compares RawIssuer to leaf

[lukescott]

Line 207 compares RawIssuer to the Leaf:

http://golang.org/src/pkg/crypto/tls/handshake_client.go#L207

When you have an Intermediate CA this fails. The RawIssuer should be compared to the
"Head" certificate, not the "Leaf". Line 207 should be:

if leaf, err = x509.ParseCertificate(cert.Certificate[len(cert.Certificate)-1]); err !=
nil {

Assuming the chain looks like this:

Root CA -> Intermediate CA -> Client Cert

The server has the "Root CA" in tls.Config.ClientCAs. The client has
"Client Cert | Intermediate CA" concated in the same file, loaded with
tls.LoadX509KeyPair (which ensures index 0, "Client Cert", matches the private
key, as it should).

[lukescott]

Comment 1:

It looks like this issue would be fixed with https://golang.org/cl/9795043/.

[rsc]

Comment 2:

Labels changed: added priority-later, go1.2, removed priority-triage.

Status changed to Accepted.

[agl]

Comment 3:

Sorry for not seeing this sooner. I believe that the report is correct and that it was
fixed by 64a3ac450b0d, as noted in #1.

Owner changed to @agl.

Status changed to Fixed.