I'm trying to verify expired client TLS certificate on the client side using Handshake() method, but it returns nothing.
What did you expect to see?
I expect to get bad certificate error returned by Handshake() method on the client side.
What did you see instead?
Handshake() is called w/o error and I get bad certificate error only once client starts sending data over established TLSv1.3 connection. I created a test case showing that TLSv1.3 doesn't work as expected, while TLSv1.2 works as expected.
$ go run .
2022/10/21 15:49:43.321628 CLIENT: calling: TLSv1.2
2022/10/21 15:49:43.324478 SERVER: tls handshake failed: tls: failed to verify client certificate: x509: certificate has expired or is not yet valid: current time 2022-10-21T15:49:43+02:00 is after 2022-10-21T10:51:46Z
2022/10/21 15:49:43.324501 CLIENT: TLS client Handshake failed: remote error: tls: bad certificate
2022/10/21 15:49:43.324517 CLIENT: calling: TLSv1.3
2022/10/21 15:49:43.327171 SERVER: tls handshake failed: tls: failed to verify client certificate: x509: certificate has expired or is not yet valid: current time 2022-10-21T15:49:43+02:00 is after 2022-10-21T10:51:46Z
2022/10/21 15:49:43.327184 CLIENT: ERROR: server must return a handshake error
exit status 1
The text was updated successfully, but these errors were encountered:
changed the title
crypto/tls: tls 1.3 handshake doesn't check client certificateOct 21, 2022
In TLS 1.3 the client is the last one to speak in the handshake, so if it causes an error to occur on the server, it will be returned on the client by the first Read, not by Handshake. For example, that will be the case if the server rejects the client certificate.