Hi Jason, Thanks for coming back to me.
I will raise it as an issue to have it discussed further. Kind regards, Vinnie On Tuesday, 5 August 2025 at 14:21:36 UTC+10 Jason E. Aten wrote: > Hi Vinnie, > > Do you mean the error you got being hard to fathom? I don't have > experience with > getting that same error so I cannot really say. > > Filing an issue is the only way I know to have it discussed and considered > by > a library's maintainers; and even if the current behavior is intended, > often times > package author's would like to hear about pain points and sharp edges that > can > be sanded. > > Best wishes, > Jason > On Monday, August 4, 2025 at 10:53:46 PM UTC+1 Vinnie Vertongen wrote: > >> Hi Jason, >> >> Do you have any thoughts or opinions on the issue? >> >> Kind regards, >> Vinnie >> On Sunday, 20 July 2025 at 07:57:09 UTC+10 Jason E. Aten wrote: >> >>> Hi Michael, >>> >>> See the 9th bullet point under >>> https://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated_TLS_handshake >>> >>> and >>> >>> https://en.wikipedia.org/wiki/Mutual_authentication >>> >>> In short, client certs are just like server certs. >>> Any cert is a public key signed by a (Certificate Authority) private key. >>> The corresponding CA public key is used to verify the signature on the >>> client cert (in TLS). >>> >>> The client cert is then used to verify (during the TLS handshake) that >>> the client >>> possess the private key corresponding to the client cert public key. >>> >>> To summarize, client certs, like server certs, are built into TLS. >>> They provide for mutual authentication. >>> >>> Most web sites use other forms of client (user) authentication, because >>> of >>> the hassle involved in configuring a web browser to obtain and deploy >>> client certs. >>> >>> If you want to play with them, I wrote a convenient tool called selfy >>> that >>> can readily generate CA key pairs and certs; here: >>> >>> https://github.com/glycerine/rpc25519/tree/master/cmd/selfy >>> >>> with description here: >>> >>> https://github.com/glycerine/rpc25519/tree/master?tab=readme-ov-file#the-selfy-tool-create-new-keys-quickly-view-certificates >>> >>> Here is how you use them in code (including password protection >>> checking): >>> >>> >>> https://github.com/glycerine/rpc25519/blob/bace3bc59bb7a31561687d32f33a36af146994ed/selfcert/step6_loadkeypair.go#L31 >>> >>> Best, >>> Jason >>> >>> On Saturday, July 19, 2025 at 12:19:37 PM UTC+2 Michael Oguidan wrote: >>> >>>> Hi, i will like to follow this with you but i would like to know what's >>>> client certificate >>>> >>>> On Thursday, July 17, 2025 at 5:06:25 AM UTC Vinnie Vertongen wrote: >>>> >>>>> The `crypto/tls` library will not configure the client certificate if >>>>> the signing certificate authority is not present in the list provided by >>>>> the server in `CertificateRequest`. The current implementation causes the >>>>> `remote error: tls: certificate required` error making debugging the >>>>> underlying CA issue difficult. >>>>> >>>>> Additional notes: >>>>> >>>>> 1. The library code in handshake.go intentionally does not configure >>>>> the certificate if there is no match >>>>> 2. The error is as expected `remote error: tls: unknown certificate >>>>> authority` if you downgrade the client to TLS v1.2 >>>>> 3. The behaviour seems intentional and so I didn't want to raise a bug >>>>> ticket - but I think this needs an improvement (Config option?) to assist >>>>> in debugging - it's confusing without reading the library code to >>>>> understand the issue >>>>> >>>>> >>>>> ``` >>>>> package main >>>>> >>>>> import ( >>>>> "crypto/tls" >>>>> "fmt" >>>>> "log" >>>>> "net/http" >>>>> ) >>>>> >>>>> func main() { >>>>> clientCert, err := tls.LoadX509KeyPair("certificate", "key") >>>>> if err != nil { >>>>> log.Fatalf("Failed to load client certificate: %v", err) >>>>> } >>>>> >>>>> tlsConfig := &tls.Config{ >>>>> Certificates: []tls.Certificate{clientCert}, >>>>> ServerName: "localhost", >>>>> } >>>>> client := &http.Client{ >>>>> Transport: &http.Transport{ >>>>> TLSClientConfig: tlsConfig, >>>>> }, >>>>> } >>>>> resp, err := client.Get("https://localhost:8443";) >>>>> if err != nil { >>>>> log.Printf("TLS Error: %v", err) >>>>> return >>>>> } >>>>> >>>>> fmt.Printf("%v\n", resp.Status) >>>>> } >>>>> ``` >>>>> >>>>> Example HAProxy configuration: >>>>> ``` >>>>> global >>>>> daemon >>>>> >>>>> defaults >>>>> mode http >>>>> timeout connect 5000ms >>>>> timeout client 50000ms >>>>> timeout server 50000ms >>>>> >>>>> frontend mtls_frontend >>>>> # Client certificate CA not present (remote error: tls: >>>>> certificate required) >>>>> bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify >>>>> required ca-file /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem >>>>> # Client certificate CA present (success) >>>>> #bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify >>>>> required ca-file /etc/ssl/certs/chain.pem >>>>> default_backend web_servers >>>>> >>>>> backend web_servers >>>>> server web1 127.0.0.1:8080 check >>>>> ``` >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/e2cc6171-f117-4cc9-a9d3-b5b9bcb3ab4dn%40googlegroups.com.
