Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: handshake_client.go compares RawIssuer to leaf #5390

Closed
lukescott opened this issue May 2, 2013 · 3 comments
Closed

crypto/tls: handshake_client.go compares RawIssuer to leaf #5390

lukescott opened this issue May 2, 2013 · 3 comments
Milestone

Comments

@lukescott
Copy link

@lukescott lukescott commented May 2, 2013

Line 207 compares RawIssuer to the Leaf:

http://golang.org/src/pkg/crypto/tls/handshake_client.go#L207

When you have an Intermediate CA this fails. The RawIssuer should be compared to the
"Head" certificate, not the "Leaf". Line 207 should be:

if leaf, err = x509.ParseCertificate(cert.Certificate[len(cert.Certificate)-1]); err !=
nil {

Assuming the chain looks like this:

Root CA -> Intermediate CA -> Client Cert

The server has the "Root CA" in tls.Config.ClientCAs. The client has
"Client Cert | Intermediate CA" concated in the same file, loaded with
tls.LoadX509KeyPair (which ensures index 0, "Client Cert", matches the private
key, as it should).
@lukescott

This comment has been minimized.

Copy link
Author

@lukescott lukescott commented May 29, 2013

Comment 1:

It looks like this issue would be fixed with https://golang.org/cl/9795043/.
@rsc

This comment has been minimized.

Copy link
Contributor

@rsc rsc commented Jul 30, 2013

Comment 2:

Labels changed: added priority-later, go1.2, removed priority-triage.

Status changed to Accepted.

@agl

This comment has been minimized.

Copy link
Contributor

@agl agl commented Jul 30, 2013

Comment 3:

Sorry for not seeing this sooner. I believe that the report is correct and that it was
fixed by 64a3ac450b0d, as noted in #1.

Owner changed to @agl.

Status changed to Fixed.

@rsc rsc added this to the Go1.2 milestone Apr 14, 2015
@rsc rsc removed the go1.2 label Apr 14, 2015
@golang golang locked and limited conversation to collaborators Jun 24, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.