-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: client auth failure alert codes can be improved #52113
Comments
I actually have this fixed already in a fork of mine, you can view it here: master...anitgandhi:improve-client-auth-alerts But, I wanted to just quickly have a discussion to here to ensure the maintainers are open to changing this behavior. If folks are open to fixing this, I'll be happy to open a PR/CL from my branch linked above. Thanks in advance! |
Perhaps this requires a separate issue or discussion, but I would have also liked to take advantage of the I know I imagine the sentinel error part could be done by extending the existing if c.config.VerifyPeerCertificate != nil {
if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
var errCertificateInvalid x509.CertificateInvalidError
var alert alert
if errors.As(err, &errCertificateInvalid) && errCertificateInvalid.Reason == x509.Revoked {
alert = alertCertificateRevoked
} else {
alert = alertBadCertificate
}
c.sendAlert(alert)
return err
}
} |
/cc @FiloSottile |
sorry for the ping on this folks, any thoughts? i wanted to try and get this in before the 1.19 dev freeze, if possible. |
CC @golang/security |
Change https://go.dev/cl/410496 mentions this issue: |
Hey, sorry for the lag. The main portion of this (returning the more specific alerts) seems reasonable. We're currently in the 1.19 freeze, so we'll have to wait for 1.20 to get this in (the tree should re-open in August.) |
@rolandshoemaker no problem, and sounds good. I went ahead and opened the CL; is it ok to just leave it as-is until August, or should I close it out? |
Yup leave it open and I'll give it a review, and once the tree opens we can submit it. |
Hi @rolandshoemaker , just a friendly ping on this/the CL now that the tree has been opened for 1.20. Thanks in advance! |
Sorry for the long wait, left a comment on the CL. |
@rolandshoemaker 👋 I've resolved the comment on the CL; any chance this could still make it in for 1.20? |
Hi @rolandshoemaker , Happy New Year! It would be a huge help for our organization when debugging mTLS errors |
…cation alerts For golang#52113 For golang#58645
Change https://go.dev/cl/505436 mentions this issue: |
…cation alerts For golang#52113 For golang#58645
…cation alerts For #52113 For #58645 Change-Id: Id7dff2570132588da95fb4216a86faf34fa2cbdc GitHub-Last-Rev: 94eabfe GitHub-Pull-Request: #60972 Reviewed-on: https://go-review.googlesource.com/c/go/+/505436 Run-TryBot: Roland Shoemaker <roland@golang.org> Auto-Submit: Roland Shoemaker <roland@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
ClientAuthType
configuration higher thanRequestClientCert
. This could be an HTTPS server, gRPC, etc.curl
,openssl s_client
, etc and provide an invalid client certificate.What did you expect to see?
I'd like to see one of the more meaningful TLS alerts that RFC 5246 (TLSv1.2) or RFC 8446 (TLSv1.3) define. Namely:
certificate_required
when the server is configured withtls.RequireAnyClientCert
ortls.RequireAndVerifyClientCert
, and the client doesn't provide any client certcertificate_expired
when the client provides a client cert but it's expired (or not yet valid)unknown_ca
when the client provides a client cert but it's not signed by an authority that the Go TLS server is configured to require.What did you see instead?
TLS alert
bad_certificate
is always returned, which is often confusing to end users because it doesn't surface enough information to quickly find out if/how they can fix their client certificate.The text was updated successfully, but these errors were encountered: