Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: do not require extended key usage extension #5987

Open
gopherbot opened this Issue Jul 29, 2013 · 7 comments

Comments

Projects
None yet
3 participants
@gopherbot
Copy link

gopherbot commented Jul 29, 2013

by jtolds:

Currently, Go's server TLS implementation requires clientAuth extendedKeyUsage on any
client certificate when client verification is enabled, with no way to turn it off and
still have client certificate verification. (handshake_server.go, processCertsFromClient)

However, from RFC5280:

"Certificate using applications MAY require that the extended key usage extension
be present and that a particular purpose be indicated in order for the certificate to be
acceptable to that application."

This says to me that a specific application should be able to choose this behavior, not
have it be forced on them by the TLS library.

Specifically, OpenSSL does *not* require this.

Can we make this optional, or perhaps only require the clientAuth extendedKeyUsage iff
the extendedKeyUsage field is actually used and not the default empty? Or even better,
support verify callbacks like OpenSSL or GnuTLS?
@rsc

This comment has been minimized.

Copy link
Contributor

rsc commented Jul 30, 2013

Comment 1:

Labels changed: added priority-later, go1.2maybe, removed priority-triage.

Status changed to Thinking.

@rsc

This comment has been minimized.

Copy link
Contributor

rsc commented Jul 30, 2013

Comment 2:

Labels changed: added feature.

@robpike

This comment has been minimized.

Copy link
Contributor

robpike commented Aug 30, 2013

Comment 3:

Not for 1.2.

Labels changed: removed go1.2maybe.

@rsc

This comment has been minimized.

Copy link
Contributor

rsc commented Nov 27, 2013

Comment 4:

Labels changed: added go1.3maybe.

@rsc

This comment has been minimized.

Copy link
Contributor

rsc commented Nov 27, 2013

Comment 5:

Labels changed: removed feature.

@rsc

This comment has been minimized.

Copy link
Contributor

rsc commented Dec 4, 2013

Comment 6:

Labels changed: added release-none, removed go1.3maybe.

@rsc

This comment has been minimized.

Copy link
Contributor

rsc commented Dec 4, 2013

Comment 7:

Labels changed: added repo-main.

@rsc rsc added this to the Unplanned milestone Apr 10, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.