Hi, i will like to follow this with you but i would like to know what's
client certificate
On Thursday, July 17, 2025 at 5:06:25 AM UTC Vinnie Vertongen wrote:
> The `crypto/tls` library will not configure the client certificate if the
> signing certificate authority is not present in the list provided by the
> server in `CertificateRequest`. The current implementation causes the
> `remote error: tls: certificate required` error making debugging the
> underlying CA issue difficult.
>
> Additional notes:
>
> 1. The library code in handshake.go intentionally does not configure the
> certificate if there is no match
> 2. The error is as expected `remote error: tls: unknown certificate
> authority` if you downgrade the client to TLS v1.2
> 3. The behaviour seems intentional and so I didn't want to raise a bug
> ticket - but I think this needs an improvement (Config option?) to assist
> in debugging - it's confusing without reading the library code to
> understand the issue
>
>
> ```
> package main
>
> import (
> "crypto/tls"
> "fmt"
> "log"
> "net/http"
> )
>
> func main() {
> clientCert, err := tls.LoadX509KeyPair("certificate", "key")
> if err != nil {
> log.Fatalf("Failed to load client certificate: %v", err)
> }
>
> tlsConfig := &tls.Config{
> Certificates: []tls.Certificate{clientCert},
> ServerName: "localhost",
> }
> client := &http.Client{
> Transport: &http.Transport{
> TLSClientConfig: tlsConfig,
> },
> }
> resp, err := client.Get("https://localhost:8443";)
> if err != nil {
> log.Printf("TLS Error: %v", err)
> return
> }
>
> fmt.Printf("%v\n", resp.Status)
> }
> ```
>
> Example HAProxy configuration:
> ```
> global
> daemon
>
> defaults
> mode http
> timeout connect 5000ms
> timeout client 50000ms
> timeout server 50000ms
>
> frontend mtls_frontend
> # Client certificate CA not present (remote error: tls: certificate
> required)
> bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify required
> ca-file /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem
> # Client certificate CA present (success)
> #bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify required
> ca-file /etc/ssl/certs/chain.pem
> default_backend web_servers
>
> backend web_servers
> server web1 127.0.0.1:8080 check
> ```
>
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/golang-nuts/c47b913b-c43f-4eec-bfbf-c919f74334dfn%40googlegroups.com.
