Line 207 compares RawIssuer to the Leaf:
http://golang.org/src/pkg/crypto/tls/handshake_client.go#L207
When you have an Intermediate CA this fails. The RawIssuer should be compared to the
"Head" certificate, not the "Leaf". Line 207 should be:
if leaf, err = x509.ParseCertificate(cert.Certificate[len(cert.Certificate)-1]); err !=
nil {
Assuming the chain looks like this:
Root CA -> Intermediate CA -> Client Cert
The server has the "Root CA" in tls.Config.ClientCAs. The client has
"Client Cert | Intermediate CA" concated in the same file, loaded with
tls.LoadX509KeyPair (which ensures index 0, "Client Cert", matches the private
key, as it should).
The text was updated successfully, but these errors were encountered:
The text was updated successfully, but these errors were encountered: