Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: do not require extended key usage extension #5987

Closed
gopherbot opened this issue Jul 29, 2013 · 8 comments

Comments

Projects
None yet
4 participants
@gopherbot
Copy link

commented Jul 29, 2013

by jtolds:

Currently, Go's server TLS implementation requires clientAuth extendedKeyUsage on any
client certificate when client verification is enabled, with no way to turn it off and
still have client certificate verification. (handshake_server.go, processCertsFromClient)

However, from RFC5280:

"Certificate using applications MAY require that the extended key usage extension
be present and that a particular purpose be indicated in order for the certificate to be
acceptable to that application."

This says to me that a specific application should be able to choose this behavior, not
have it be forced on them by the TLS library.

Specifically, OpenSSL does *not* require this.

Can we make this optional, or perhaps only require the clientAuth extendedKeyUsage iff
the extendedKeyUsage field is actually used and not the default empty? Or even better,
support verify callbacks like OpenSSL or GnuTLS?
@rsc

This comment has been minimized.

Copy link
Contributor

commented Jul 30, 2013

Comment 1:

Labels changed: added priority-later, go1.2maybe, removed priority-triage.

Status changed to Thinking.

@rsc

This comment has been minimized.

Copy link
Contributor

commented Jul 30, 2013

Comment 2:

Labels changed: added feature.

@robpike

This comment has been minimized.

Copy link
Contributor

commented Aug 30, 2013

Comment 3:

Not for 1.2.

Labels changed: removed go1.2maybe.

@rsc

This comment has been minimized.

Copy link
Contributor

commented Nov 27, 2013

Comment 4:

Labels changed: added go1.3maybe.

@rsc

This comment has been minimized.

Copy link
Contributor

commented Nov 27, 2013

Comment 5:

Labels changed: removed feature.

@rsc

This comment has been minimized.

Copy link
Contributor

commented Dec 4, 2013

Comment 6:

Labels changed: added release-none, removed go1.3maybe.

@rsc

This comment has been minimized.

Copy link
Contributor

commented Dec 4, 2013

Comment 7:

Labels changed: added repo-main.

@rsc rsc added this to the Unplanned milestone Apr 10, 2015

@FiloSottile

This comment has been minimized.

Copy link
Member

commented Jul 22, 2019

Go likes to be strict wherever possible, and this is not causing widespread issues. It can also now be overridden by VerifyPeerCertificate. Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.