Hi Jason, Do you have any thoughts or opinions on the issue?
Kind regards, Vinnie On Sunday, 20 July 2025 at 07:57:09 UTC+10 Jason E. Aten wrote: > Hi Michael, > > See the 9th bullet point under > https://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated_TLS_handshake > > and > > https://en.wikipedia.org/wiki/Mutual_authentication > > In short, client certs are just like server certs. > Any cert is a public key signed by a (Certificate Authority) private key. > The corresponding CA public key is used to verify the signature on the > client cert (in TLS). > > The client cert is then used to verify (during the TLS handshake) that the > client > possess the private key corresponding to the client cert public key. > > To summarize, client certs, like server certs, are built into TLS. > They provide for mutual authentication. > > Most web sites use other forms of client (user) authentication, because of > the hassle involved in configuring a web browser to obtain and deploy > client certs. > > If you want to play with them, I wrote a convenient tool called selfy that > can readily generate CA key pairs and certs; here: > > https://github.com/glycerine/rpc25519/tree/master/cmd/selfy > > with description here: > > https://github.com/glycerine/rpc25519/tree/master?tab=readme-ov-file#the-selfy-tool-create-new-keys-quickly-view-certificates > > Here is how you use them in code (including password protection checking): > > > https://github.com/glycerine/rpc25519/blob/bace3bc59bb7a31561687d32f33a36af146994ed/selfcert/step6_loadkeypair.go#L31 > > Best, > Jason > > On Saturday, July 19, 2025 at 12:19:37 PM UTC+2 Michael Oguidan wrote: > >> Hi, i will like to follow this with you but i would like to know what's >> client certificate >> >> On Thursday, July 17, 2025 at 5:06:25 AM UTC Vinnie Vertongen wrote: >> >>> The `crypto/tls` library will not configure the client certificate if >>> the signing certificate authority is not present in the list provided by >>> the server in `CertificateRequest`. The current implementation causes the >>> `remote error: tls: certificate required` error making debugging the >>> underlying CA issue difficult. >>> >>> Additional notes: >>> >>> 1. The library code in handshake.go intentionally does not configure the >>> certificate if there is no match >>> 2. The error is as expected `remote error: tls: unknown certificate >>> authority` if you downgrade the client to TLS v1.2 >>> 3. The behaviour seems intentional and so I didn't want to raise a bug >>> ticket - but I think this needs an improvement (Config option?) to assist >>> in debugging - it's confusing without reading the library code to >>> understand the issue >>> >>> >>> ``` >>> package main >>> >>> import ( >>> "crypto/tls" >>> "fmt" >>> "log" >>> "net/http" >>> ) >>> >>> func main() { >>> clientCert, err := tls.LoadX509KeyPair("certificate", "key") >>> if err != nil { >>> log.Fatalf("Failed to load client certificate: %v", err) >>> } >>> >>> tlsConfig := &tls.Config{ >>> Certificates: []tls.Certificate{clientCert}, >>> ServerName: "localhost", >>> } >>> client := &http.Client{ >>> Transport: &http.Transport{ >>> TLSClientConfig: tlsConfig, >>> }, >>> } >>> resp, err := client.Get("https://localhost:8443") >>> if err != nil { >>> log.Printf("TLS Error: %v", err) >>> return >>> } >>> >>> fmt.Printf("%v\n", resp.Status) >>> } >>> ``` >>> >>> Example HAProxy configuration: >>> ``` >>> global >>> daemon >>> >>> defaults >>> mode http >>> timeout connect 5000ms >>> timeout client 50000ms >>> timeout server 50000ms >>> >>> frontend mtls_frontend >>> # Client certificate CA not present (remote error: tls: certificate >>> required) >>> bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify >>> required ca-file /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem >>> # Client certificate CA present (success) >>> #bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify >>> required ca-file /etc/ssl/certs/chain.pem >>> default_backend web_servers >>> >>> backend web_servers >>> server web1 127.0.0.1:8080 check >>> ``` >>> >> -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/18b90c38-0102-4ece-8fa9-8e422d16f3f7n%40googlegroups.com.