proposal: crypto/tls: new option for mTLS servers to not advertise acceptable certificate_authorities

[irsl]

Problem

A Golang mTLS server includes a list of Distinguished Names of acceptable CAs in the TLS handshake. In some threat models, the name of the CAs the server accepts may represent an information leak. Especially, if the CA is use-case specific and contains information about the customer; like this example from the Google space: https://buganizer.corp.google.com/issues/187209748

Currently, the tls/crypto package does not provide a way to not populate certificate_authorities, even though it is not mandatory part of the handshake.

Solution

This could be addressed by adding a new boolean field (something like DontAdvertiseClientCAs bool) in tls.Config to disable this behavior optionally.
Servers that prefer not advertising the CA names could opt-out by flipping this new setting.

[seankhliao]

cc @golang/security

Problem

A Golang mTLS server includes a list of Distinguished Names of acceptable CAs in the TLS handshake. In some threat models, the name of the CAs the server accepts may represent an information leak. Especially, if the CA is use-case specific and contains information about the customer; like this example from the Google space: https://buganizer.corp.google.com/issues/187209748

Currently, the tls/crypto package does not provide a way to not populate certificate_authorities, even though it is not mandatory part of the handshake.

Solution

This could be addressed by adding a new boolean field (something like DontAdvertiseClientCAs bool) in tls.Config to disable this behavior optionally. Servers that prefer not advertising the CA names could opt-out by flipping this new setting.