Hi Vinnie,

Do you mean the error you got being hard to fathom? I don't have experience 
with
getting that same error so I cannot really say.

Filing an issue is the only way I know to have it discussed and considered 
by
a library's maintainers; and even if the current behavior is intended, 
often times
package author's would like to hear about pain points and sharp edges that 
can
be sanded.

Best wishes,
Jason
On Monday, August 4, 2025 at 10:53:46 PM UTC+1 Vinnie Vertongen wrote:

> Hi Jason, 
>
> Do you have any thoughts or opinions on the issue? 
>
> Kind regards,
> Vinnie
> On Sunday, 20 July 2025 at 07:57:09 UTC+10 Jason E. Aten wrote:
>
>> Hi Michael,
>>
>> See the 9th bullet point under 
>> https://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated_TLS_handshake
>>
>> and
>>
>> https://en.wikipedia.org/wiki/Mutual_authentication
>>
>> In short, client certs are just like server certs. 
>> Any cert is a public key signed by a (Certificate Authority) private key.
>> The corresponding CA public key is used to verify the signature on the 
>> client cert (in TLS).
>>
>> The client cert is then used to verify (during the TLS handshake) that 
>> the client 
>> possess the private key corresponding to the client cert public key.
>>
>> To summarize, client certs, like server certs, are built into TLS. 
>> They provide for mutual authentication.  
>>
>> Most web sites use other forms of client (user) authentication, because of
>> the hassle involved in configuring a web browser to obtain and deploy 
>> client certs.
>>
>> If you want to play with them, I wrote a convenient tool called selfy 
>> that 
>> can readily generate CA key pairs and certs; here:
>>
>> https://github.com/glycerine/rpc25519/tree/master/cmd/selfy
>>
>> with description here:
>>
>> https://github.com/glycerine/rpc25519/tree/master?tab=readme-ov-file#the-selfy-tool-create-new-keys-quickly-view-certificates
>>
>> Here is how you use them in code (including password protection checking):
>>
>>
>> https://github.com/glycerine/rpc25519/blob/bace3bc59bb7a31561687d32f33a36af146994ed/selfcert/step6_loadkeypair.go#L31
>>
>> Best,
>> Jason
>>
>> On Saturday, July 19, 2025 at 12:19:37 PM UTC+2 Michael Oguidan wrote:
>>
>>> Hi, i will like to follow this with you but i would like to know what's 
>>> client certificate
>>>
>>> On Thursday, July 17, 2025 at 5:06:25 AM UTC Vinnie Vertongen wrote:
>>>
>>>> The `crypto/tls` library will not configure the client certificate if 
>>>> the signing certificate authority is not present in the list provided by 
>>>> the server in `CertificateRequest`. The current implementation causes the 
>>>> `remote error: tls: certificate required` error making debugging the 
>>>> underlying CA issue difficult.
>>>>
>>>> Additional notes:
>>>>
>>>> 1. The library code in handshake.go intentionally does not configure 
>>>> the certificate if there is no match 
>>>> 2. The error is as expected `remote error: tls: unknown certificate 
>>>> authority` if you downgrade the client to TLS v1.2
>>>> 3. The behaviour seems intentional and so I didn't want to raise a bug 
>>>> ticket - but I think this needs an improvement (Config option?) to assist 
>>>> in debugging - it's confusing without reading the library code to 
>>>> understand the issue
>>>>
>>>>
>>>> ```
>>>> package main
>>>>
>>>> import (
>>>> "crypto/tls"
>>>> "fmt"
>>>> "log"
>>>> "net/http"
>>>> )
>>>>
>>>> func main() {
>>>> clientCert, err := tls.LoadX509KeyPair("certificate", "key")
>>>> if err != nil {
>>>> log.Fatalf("Failed to load client certificate: %v", err)
>>>> }
>>>>
>>>> tlsConfig := &tls.Config{
>>>> Certificates: []tls.Certificate{clientCert},
>>>> ServerName:   "localhost",
>>>> }
>>>> client := &http.Client{
>>>> Transport: &http.Transport{
>>>> TLSClientConfig: tlsConfig,
>>>> },
>>>> }
>>>> resp, err := client.Get("https://localhost:8443";)
>>>> if err != nil {
>>>> log.Printf("TLS Error: %v", err)
>>>> return
>>>> }
>>>>
>>>> fmt.Printf("%v\n", resp.Status)
>>>> }
>>>> ```
>>>>
>>>> Example HAProxy configuration:
>>>> ```
>>>> global
>>>>     daemon
>>>>
>>>> defaults
>>>>     mode http
>>>>     timeout connect 5000ms
>>>>     timeout client 50000ms
>>>>     timeout server 50000ms
>>>>
>>>> frontend mtls_frontend
>>>>     # Client certificate CA not present (remote error: tls: certificate 
>>>> required)
>>>>     bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify 
>>>> required ca-file /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem 
>>>>     # Client certificate CA present (success)
>>>>     #bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify 
>>>> required ca-file /etc/ssl/certs/chain.pem
>>>>     default_backend web_servers
>>>>
>>>> backend web_servers
>>>>     server web1 127.0.0.1:8080 check
>>>> ```
>>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/golang-nuts/2fa0e18d-8119-4c1a-afd8-a2a05ad16869n%40googlegroups.com.

Reply via email to