[go-nuts] crypto/tls: Misleading "remote error: tls: certificate required" error when client cert CA not in server's accepted CAs list

Wed, 16 Jul 2025 22:05:53 -0700 

The `crypto/tls` library will not configure the client certificate if the 
signing certificate authority is not present in the list provided by the 
server in `CertificateRequest`. The current implementation causes the 
`remote error: tls: certificate required` error making debugging the 
underlying CA issue difficult.

Additional notes:

1. The library code in handshake.go intentionally does not configure the 
certificate if there is no match 
2. The error is as expected `remote error: tls: unknown certificate 
authority` if you downgrade the client to TLS v1.2
3. The behaviour seems intentional and so I didn't want to raise a bug 
ticket - but I think this needs an improvement (Config option?) to assist 
in debugging - it's confusing without reading the library code to 
understand the issue


```
package main

import (
"crypto/tls"
"fmt"
"log"
"net/http"
)

func main() {
clientCert, err := tls.LoadX509KeyPair("certificate", "key")
if err != nil {
log.Fatalf("Failed to load client certificate: %v", err)
}

tlsConfig := &tls.Config{
Certificates: []tls.Certificate{clientCert},
ServerName:   "localhost",
}
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: tlsConfig,
},
}
resp, err := client.Get("https://localhost:8443";)
if err != nil {
log.Printf("TLS Error: %v", err)
return
}

fmt.Printf("%v\n", resp.Status)
}
```

Example HAProxy configuration:
```
global
    daemon

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend mtls_frontend
    # Client certificate CA not present (remote error: tls: certificate 
required)
    bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify required 
ca-file /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem 
    # Client certificate CA present (success)
    #bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify required 
ca-file /etc/ssl/certs/chain.pem
    default_backend web_servers

backend web_servers
    server web1 127.0.0.1:8080 check
```

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/golang-nuts/4c54abb8-0598-4c0d-a39c-767c71d0ebffn%40googlegroups.com.

Reply via email to