The tls library in go mandates that client certificates have extendedKeyUsage that
contains a clientAuth. However it does not do the same for serverAuth. Ideally it would
do this check anytime there is an extendedKeyUsage extension on the certificate.
The text was updated successfully, but these errors were encountered:
handshake_client.go doesn't set the KeyUsages member of x509.VerifyOptions. That means that the default behaviour takes effect, which is to require ExtKeyUsageServerAuth down the chain. (Although MS and Netscape SGC usages are accepted as equal to ServerAuth in order to support certificates in the wild.)
If you think that this isn't working, that would be a bug, but it's supposed to.