<https://lh3.googleusercontent.com/-LwOvj8Z0210/WovQ37bwgEI/AAAAAAAAHYc/N7v2xQwZyUERZcCJVyhptVvFpsqZ-HUCwCLcBGAs/s1600/server_hello.jpg>
Hello

i tried this certificates also with Nodejs and there it is working on first 
try, so certificates should be ok. Only difference is that i did not 
include rootCA (public part), I just use like skip and trust.
here is a screenshot:



Dne ponedeljek, 19. februar 2018 22.24.50 UTC+1 je oseba Maciej Gałkowski 
napisala:
>
> Ah, just had a closer look at the screenshot. It seems that the server 
> sends Certificate Request message. The Certificate Request contains a list 
> of all CA RDNs that are accepted by the server, (which can be an empty 
> list, in which case cert signed by CA should be accepted). 
>
> It would be easier to debug the issue if you could post the screenshot of 
> the server hello message from Wireshark. 
> My guess is that the certificate that you have set in the client was not 
> signed a CA allowed by the server.
>
> Your TLS config from the go playground looks OK, the one you posted here 
> also. 
>
> I would suggest running openssl s_client with the -debug flag to connect 
> to the TLS server and check if everything is OK on the server side. 
> The -debug flag should print all the client/server certificates, and the 
> list of accepted signing CAs for the client certificate if you pass in one. 
>
> The same way you could run openssl s_server and use your go client to 
> connect to it to debug the other side. It should not be necessary though.
>
> I am suprised that the server doesn't terminate the TLS handshake if it 
> doesn't receive an acceptable certificate. That is how my servers are 
> configured anyway (Yes, this is configurable, and hence I suspect that the 
> culprit is the server config). 
>
>
> W dniu poniedziałek, 19 lutego 2018 20:43:23 UTC użytkownik Maciej 
> Gałkowski napisał:
>>
>> Hi, This might be a red herring, but are you sure that your server 
>> requires a client cert? 
>> As far as I can understand the RFC 
>> https://tools.ietf.org/html/rfc5246#section-7.4.4 
>> <https://www.google.com/url?q=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc5246%23section-7.4.4&sa=D&sntz=1&usg=AFQjCNHW2hs0OK5PAatq6YXF9rhFznGmzg>,
>>  
>> it is the server that sends a certificate request to the client so it can 
>> authenticate. 
>>
>> W dniu poniedziałek, 19 lutego 2018 08:46:13 UTC użytkownik Miha Zoubek 
>> napisał:
>>>
>>> Hello
>>>
>>> tnx for help.
>>>
>>> I tried like:
>>>  
>>>     tlsConfig := &tls.Config{
>>>         Certificates: []tls.Certificate{cert},
>>>         RootCAs: caCertPool,
>>>         InsecureSkipVerify: false,
>>>     }
>>>
>>>     //tlsConfig.BuildNameToCertificate()
>>>     transport := &http.Transport{TLSClientConfig: tlsConfig}
>>>     client := &http.Client{Transport: transport}
>>>
>>> but it is the same thing. What about GetClientCertificate() config, how 
>>> to use, should this help?
>>> // GetClientCertificate, if not nil, is called when a server requests a
>>> // certificate from a client. If set, the contents of Certificates will
>>> // be ignored.
>>>
>>>
>>>
>>> V V pon., 19. feb. 2018 ob 09:33 je oseba Jakob Borg <ja...@kastelo.net> 
>>> napisala:
>>>
>>>> Try without using Config.BuildNameToCertificate. That’s a server side 
>>>> thing and I doubt it does what you want on the client side. 
>>>>
>>>> //jb
>>>>
>>>> On 16 Feb 2018, at 14:41, mzo...@gmail.com wrote:
>>>>
>>>> Hello
>>>>
>>>> this is my code:
>>>> https://play.golang.org/p/yxhYXEVMPjB
>>>>
>>>>
>>>> I got certificate in pfx format, I extraced client, CA, private 
>>>> certificate which i imported in my program.
>>>> # Extract Public Key (ask for password)
>>>> openssl pkcs12 -in file.pfx -out file_public.pem -clcerts -nokeys
>>>>
>>>> # Extract Certificate Authority Key (ask for password)
>>>> openssl pkcs12 -in file.pfx -out file_ca.pem -cacerts -nokeys
>>>>
>>>> # Extract Private Key (ask for password)
>>>> openssl pkcs12 -in file.pfx -out file_private.pem -nocerts -nodes
>>>>
>>>>
>>>> I need to send certificate in request to server but the thing is that i 
>>>> get from server that certificate is not included in request. I did trace 
>>>> also with WireShark and there is no certificate appanded in request.
>>>>
>>>>
>>>> Thank you for all your help!
>>>> miha
>>>>
>>>>
>>>> -- 
>>>> You received this message because you are subscribed to the Google 
>>>> Groups "golang-nuts" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>> an email to golang-nuts...@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>>

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to