Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: clientHandshake does not properly select the cert to send when len(certReq.certificateAuthorities) != 0 #6380

gopherbot opened this issue Sep 13, 2013 · 2 comments


Copy link


What steps will reproduce the problem?
1.  Create a cert chain where A -> B -> C (A signs B signs C)
2.  Start an https server which asks for A in its cert request during handshake
3.  Create an https client which loads C, then B into its tls.Certificate
4.  Connect the client to the server

What is the expected output?
clientHandshake() should present certificate C (the leaf) by identifying that C is
signed by B and B is signed by A, which matches the request.

What do you see instead?
An empty cert is presented.

Which compiler are you using (5g, 6g, 8g, gccgo)?

Which operating system are you using?
Debian wheezy

Which version are you using?  (run 'go version')
go version 1.1

Please provide any additional information below.
Assume you have the following chain of trust:  A -> B -> C, where A signs B signs
C.  During the handshake, the remote end sends a certificate request with A in its
certificateAuthorities.  The client side tls.Certificate structure has C and then B (so
that C will be properly identified as the leaf). When clientHandshake() runs, it
discards C as a candidate (since the issuer is B, which is not A) and then also discards
B since it again compares the leaf issuer to A.  The result is that an empty certificate
is sent and the handshake fails.
Copy link

Comment 1:

I think this might be related to ,
and may already be fixed.
You should try with tip (, use "default" branch).
You can build it in ~/go and setup an alias like "gotip" if you want both on your system.

Copy link

rsc commented Oct 18, 2013

Comment 2:

Please file a new issue mentioning this one if you can still reproduce the bug at tip.
And please include a complete program that demonstrates the problem.

Status changed to TimedOut.

@golang golang locked and limited conversation to collaborators Jun 25, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet

No branches or pull requests

3 participants