Hi Jason, 

Do you have any thoughts or opinions on the issue? 

Kind regards,
Vinnie
On Sunday, 20 July 2025 at 07:57:09 UTC+10 Jason E. Aten wrote:

> Hi Michael,
>
> See the 9th bullet point under 
> https://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated_TLS_handshake
>
> and
>
> https://en.wikipedia.org/wiki/Mutual_authentication
>
> In short, client certs are just like server certs. 
> Any cert is a public key signed by a (Certificate Authority) private key.
> The corresponding CA public key is used to verify the signature on the 
> client cert (in TLS).
>
> The client cert is then used to verify (during the TLS handshake) that the 
> client 
> possess the private key corresponding to the client cert public key.
>
> To summarize, client certs, like server certs, are built into TLS. 
> They provide for mutual authentication.  
>
> Most web sites use other forms of client (user) authentication, because of
> the hassle involved in configuring a web browser to obtain and deploy 
> client certs.
>
> If you want to play with them, I wrote a convenient tool called selfy that 
> can readily generate CA key pairs and certs; here:
>
> https://github.com/glycerine/rpc25519/tree/master/cmd/selfy
>
> with description here:
>
> https://github.com/glycerine/rpc25519/tree/master?tab=readme-ov-file#the-selfy-tool-create-new-keys-quickly-view-certificates
>
> Here is how you use them in code (including password protection checking):
>
>
> https://github.com/glycerine/rpc25519/blob/bace3bc59bb7a31561687d32f33a36af146994ed/selfcert/step6_loadkeypair.go#L31
>
> Best,
> Jason
>
> On Saturday, July 19, 2025 at 12:19:37 PM UTC+2 Michael Oguidan wrote:
>
>> Hi, i will like to follow this with you but i would like to know what's 
>> client certificate
>>
>> On Thursday, July 17, 2025 at 5:06:25 AM UTC Vinnie Vertongen wrote:
>>
>>> The `crypto/tls` library will not configure the client certificate if 
>>> the signing certificate authority is not present in the list provided by 
>>> the server in `CertificateRequest`. The current implementation causes the 
>>> `remote error: tls: certificate required` error making debugging the 
>>> underlying CA issue difficult.
>>>
>>> Additional notes:
>>>
>>> 1. The library code in handshake.go intentionally does not configure the 
>>> certificate if there is no match 
>>> 2. The error is as expected `remote error: tls: unknown certificate 
>>> authority` if you downgrade the client to TLS v1.2
>>> 3. The behaviour seems intentional and so I didn't want to raise a bug 
>>> ticket - but I think this needs an improvement (Config option?) to assist 
>>> in debugging - it's confusing without reading the library code to 
>>> understand the issue
>>>
>>>
>>> ```
>>> package main
>>>
>>> import (
>>> "crypto/tls"
>>> "fmt"
>>> "log"
>>> "net/http"
>>> )
>>>
>>> func main() {
>>> clientCert, err := tls.LoadX509KeyPair("certificate", "key")
>>> if err != nil {
>>> log.Fatalf("Failed to load client certificate: %v", err)
>>> }
>>>
>>> tlsConfig := &tls.Config{
>>> Certificates: []tls.Certificate{clientCert},
>>> ServerName:   "localhost",
>>> }
>>> client := &http.Client{
>>> Transport: &http.Transport{
>>> TLSClientConfig: tlsConfig,
>>> },
>>> }
>>> resp, err := client.Get("https://localhost:8443";)
>>> if err != nil {
>>> log.Printf("TLS Error: %v", err)
>>> return
>>> }
>>>
>>> fmt.Printf("%v\n", resp.Status)
>>> }
>>> ```
>>>
>>> Example HAProxy configuration:
>>> ```
>>> global
>>>     daemon
>>>
>>> defaults
>>>     mode http
>>>     timeout connect 5000ms
>>>     timeout client 50000ms
>>>     timeout server 50000ms
>>>
>>> frontend mtls_frontend
>>>     # Client certificate CA not present (remote error: tls: certificate 
>>> required)
>>>     bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify 
>>> required ca-file /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem 
>>>     # Client certificate CA present (success)
>>>     #bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify 
>>> required ca-file /etc/ssl/certs/chain.pem
>>>     default_backend web_servers
>>>
>>> backend web_servers
>>>     server web1 127.0.0.1:8080 check
>>> ```
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/golang-nuts/18b90c38-0102-4ece-8fa9-8e422d16f3f7n%40googlegroups.com.

Reply via email to