Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: clientHandshake does not properly select the cert to send when len(certReq.certificateAuthorities) != 0 #6380

Closed
gopherbot opened this issue Sep 13, 2013 · 2 comments

Comments

@gopherbot
Copy link

@gopherbot gopherbot commented Sep 13, 2013

by andrew@spacemonkey.com:

What steps will reproduce the problem?
1.  Create a cert chain where A -> B -> C (A signs B signs C)
2.  Start an https server which asks for A in its cert request during handshake
3.  Create an https client which loads C, then B into its tls.Certificate
4.  Connect the client to the server

What is the expected output?
clientHandshake() should present certificate C (the leaf) by identifying that C is
signed by B and B is signed by A, which matches the request.

What do you see instead?
An empty cert is presented.

Which compiler are you using (5g, 6g, 8g, gccgo)?
6g

Which operating system are you using?
Debian wheezy

Which version are you using?  (run 'go version')
go version 1.1

Please provide any additional information below.
Assume you have the following chain of trust:  A -> B -> C, where A signs B signs
C.  During the handshake, the remote end sends a certificate request with A in its
certificateAuthorities.  The client side tls.Certificate structure has C and then B (so
that C will be properly identified as the leaf). When clientHandshake() runs, it
discards C as a candidate (since the issuer is B, which is not A) and then also discards
B since it again compares the leaf issuer to A.  The result is that an empty certificate
is sent and the handshake fails.
@lukescott

This comment has been minimized.

Copy link

@lukescott lukescott commented Sep 24, 2013

Comment 1:

I think this might be related to https://golang.org/issue/5390 ,
and may already be fixed.
You should try with tip (http://golang.org/doc/install/source, use "default" branch).
You can build it in ~/go and setup an alias like "gotip" if you want both on your system.
@rsc

This comment has been minimized.

Copy link
Contributor

@rsc rsc commented Oct 18, 2013

Comment 2:

Please file a new issue mentioning this one if you can still reproduce the bug at tip.
And please include a complete program that demonstrates the problem.

Status changed to TimedOut.

@golang golang locked and limited conversation to collaborators Jun 25, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.