Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
crypto/tls: clientHandshake does not properly select the cert to send when len(certReq.certificateAuthorities) != 0 #6380
What steps will reproduce the problem? 1. Create a cert chain where A -> B -> C (A signs B signs C) 2. Start an https server which asks for A in its cert request during handshake 3. Create an https client which loads C, then B into its tls.Certificate 4. Connect the client to the server What is the expected output? clientHandshake() should present certificate C (the leaf) by identifying that C is signed by B and B is signed by A, which matches the request. What do you see instead? An empty cert is presented. Which compiler are you using (5g, 6g, 8g, gccgo)? 6g Which operating system are you using? Debian wheezy Which version are you using? (run 'go version') go version 1.1 Please provide any additional information below. Assume you have the following chain of trust: A -> B -> C, where A signs B signs C. During the handshake, the remote end sends a certificate request with A in its certificateAuthorities. The client side tls.Certificate structure has C and then B (so that C will be properly identified as the leaf). When clientHandshake() runs, it discards C as a candidate (since the issuer is B, which is not A) and then also discards B since it again compares the leaf issuer to A. The result is that an empty certificate is sent and the handshake fails.
This issue was closed.