Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: require serverAuth if extendedKeyUsage on certificate #9000

Closed
gopherbot opened this issue Oct 25, 2014 · 2 comments
Closed

crypto/tls: require serverAuth if extendedKeyUsage on certificate #9000

gopherbot opened this issue Oct 25, 2014 · 2 comments
Assignees
Milestone

Comments

@gopherbot
Copy link

@gopherbot gopherbot commented Oct 25, 2014

by donald.stufft:

The tls library in go mandates that client certificates have extendedKeyUsage that
contains a clientAuth. However it does not do the same for serverAuth. Ideally it would
do this check anytime there is an extendedKeyUsage extension on the certificate.
@gopherbot gopherbot added the new label Oct 25, 2014
@bradfitz bradfitz removed the new label Dec 18, 2014
@rsc

This comment has been minimized.

Copy link
Contributor

@rsc rsc commented Apr 10, 2015

@agl, thoughts?

@rsc rsc changed the title crypto/tls: Require serverAuth if extendedKeyUsage on certificate crypto/tls: require serverAuth if extendedKeyUsage on certificate Apr 10, 2015
@rsc rsc added this to the Go1.5Maybe milestone Apr 10, 2015
@agl agl self-assigned this Apr 12, 2015
@agl

This comment has been minimized.

Copy link
Contributor

@agl agl commented Apr 12, 2015

handshake_client.go doesn't set the KeyUsages member of x509.VerifyOptions. That means that the default behaviour takes effect, which is to require ExtKeyUsageServerAuth down the chain. (Although MS and Netscape SGC usages are accepted as equal to ServerAuth in order to support certificates in the wild.)

If you think that this isn't working, that would be a bug, but it's supposed to.

@agl agl closed this Apr 12, 2015
@mikioh mikioh modified the milestones: Unplanned, Go1.5Maybe Apr 14, 2015
@golang golang locked and limited conversation to collaborators Jun 25, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.