I found a remedy. Turns out that it is misconfiguration of apache server
who supposes to follow the chain of client certificates provided by go
client. Surprisingly it is not the case of curl and python clients, i.e.
when I used them the apache server was able to recognize client
certificates. The actual configuration for apache requires the following
parameters:
SSLCECertificatePath /path/certificates
SSLCARevocationPath /path/certificates
SSLCARevocationCheck chain
Without these options apache will unable to recognize DN of x509
certificate passed by go client.
On Tuesday, October 30, 2018 at 7:29:18 PM UTC-4, Valentin Kuznetsov wrote:
>
> Hi,
> I'm experience a weird problem with Go client accessing apache SSL server.
> I need to authenticate my client with my X509 certificates. Here is a
> client code:
>
> // helper function to create a client
> func HttpClient() *http.Client {
> uckey := os.Getenv("X509_USER_KEY")
> ucert := os.Getenv("X509_USER_CERT")
> cert, err := tls.LoadX509KeyPair(ucert, uckey)
> if err != nil {
> panic(err.Error())
> }
> certs := []tls.Certificate{cert}
> // root CA
> caCert, err := ioutil.ReadFile("my-grid-CA.pem")
> if err != nil {
> panic(err.Error())
> }
> caCertPool := x509.NewCertPool()
> caCertPool.AppendCertsFromPEM(caCert)
> tlsConfig := &tls.Config{Certificates: certs, RootCAs: caCertPool}
> tlsConfig.BuildNameToCertificate()
> tr := &http.Transport{TLSClientConfig: tlsConfig}
> return &http.Client{Transport: tr}
> }
>
> Then I use the following code to make an HTTPs call:
>
> rurl := "MY_URL"
> req, _ := http.NewRequest("GET", rurl, nil)
> req.Header.Add("Accept-Encoding", "identity") // I setup other headers in
> a similar way
> client := HttpClient()
> resp, err := client.Do(req)
>
> And, I'm getting authentication error because my client certificates are
> not propagated into apache server.
> From the apache server I found that mod_ssl extract my server CA and
> creates SSL_SERVER_CERT and similar SSL_SERVER headers, but for client
> certificates it only creates
> SSL_CLIENT_VERIFY: NONE
> SSL_CLIENT_CERT:
> and nothing else. If I use python code or plain curl I do see that apache
> correctly identifies client certificates, extracts my DN, etc., i.e. it
> setups up SSL_CLIENT_S_DN and other headers, which later used by
> authentication code.
>
> How to dump in Go code the request along with passed certificates? I used
> httputil.DumpRequestOut but it does not print my certificates, it only
> provides info about request headers.
>
> What else am I missing,
> I would appreciate any help,
> Valentin.
>
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
