<https://lh3.googleusercontent.com/-JjBYNmISJAY/WovQKLci5sI/AAAAAAAAHYU/VJ4zmIbT8VQH_5NtuftKY9DDy78C4Hd3ACLcBGAs/s1600/server_hello.jpg>
Here is screen shot. I tried the same certificates with NodeJs and there is working on first shot, but really do not want to use NodeJs for this :) I Dne ponedeljek, 19. februar 2018 22.24.50 UTC+1 je oseba Maciej Gałkowski napisala: > > Ah, just had a closer look at the screenshot. It seems that the server > sends Certificate Request message. The Certificate Request contains a list > of all CA RDNs that are accepted by the server, (which can be an empty > list, in which case cert signed by CA should be accepted). > > It would be easier to debug the issue if you could post the screenshot of > the server hello message from Wireshark. > My guess is that the certificate that you have set in the client was not > signed a CA allowed by the server. > > Your TLS config from the go playground looks OK, the one you posted here > also. > > I would suggest running openssl s_client with the -debug flag to connect > to the TLS server and check if everything is OK on the server side. > The -debug flag should print all the client/server certificates, and the > list of accepted signing CAs for the client certificate if you pass in one. > > The same way you could run openssl s_server and use your go client to > connect to it to debug the other side. It should not be necessary though. > > I am suprised that the server doesn't terminate the TLS handshake if it > doesn't receive an acceptable certificate. That is how my servers are > configured anyway (Yes, this is configurable, and hence I suspect that the > culprit is the server config). > > > W dniu poniedziałek, 19 lutego 2018 20:43:23 UTC użytkownik Maciej > Gałkowski napisał: >> >> Hi, This might be a red herring, but are you sure that your server >> requires a client cert? >> As far as I can understand the RFC >> https://tools.ietf.org/html/rfc5246#section-7.4.4 >> <https://www.google.com/url?q=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc5246%23section-7.4.4&sa=D&sntz=1&usg=AFQjCNHW2hs0OK5PAatq6YXF9rhFznGmzg>, >> >> it is the server that sends a certificate request to the client so it can >> authenticate. >> >> W dniu poniedziałek, 19 lutego 2018 08:46:13 UTC użytkownik Miha Zoubek >> napisał: >>> >>> Hello >>> >>> tnx for help. >>> >>> I tried like: >>> >>> tlsConfig := &tls.Config{ >>> Certificates: []tls.Certificate{cert}, >>> RootCAs: caCertPool, >>> InsecureSkipVerify: false, >>> } >>> >>> //tlsConfig.BuildNameToCertificate() >>> transport := &http.Transport{TLSClientConfig: tlsConfig} >>> client := &http.Client{Transport: transport} >>> >>> but it is the same thing. What about GetClientCertificate() config, how >>> to use, should this help? >>> // GetClientCertificate, if not nil, is called when a server requests a >>> // certificate from a client. If set, the contents of Certificates will >>> // be ignored. >>> >>> >>> >>> V V pon., 19. feb. 2018 ob 09:33 je oseba Jakob Borg <ja...@kastelo.net> >>> napisala: >>> >>>> Try without using Config.BuildNameToCertificate. That’s a server side >>>> thing and I doubt it does what you want on the client side. >>>> >>>> //jb >>>> >>>> On 16 Feb 2018, at 14:41, mzo...@gmail.com wrote: >>>> >>>> Hello >>>> >>>> this is my code: >>>> https://play.golang.org/p/yxhYXEVMPjB >>>> >>>> >>>> I got certificate in pfx format, I extraced client, CA, private >>>> certificate which i imported in my program. >>>> # Extract Public Key (ask for password) >>>> openssl pkcs12 -in file.pfx -out file_public.pem -clcerts -nokeys >>>> >>>> # Extract Certificate Authority Key (ask for password) >>>> openssl pkcs12 -in file.pfx -out file_ca.pem -cacerts -nokeys >>>> >>>> # Extract Private Key (ask for password) >>>> openssl pkcs12 -in file.pfx -out file_private.pem -nocerts -nodes >>>> >>>> >>>> I need to send certificate in request to server but the thing is that i >>>> get from server that certificate is not included in request. I did trace >>>> also with WireShark and there is no certificate appanded in request. >>>> >>>> >>>> Thank you for all your help! >>>> miha >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "golang-nuts" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to golang-nuts...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.