go: crypto/tls: client auth failure alert codes can be improved
What version of Go are you using (go version)?
$ go version go version go1.18 darwin/amd64
Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (go env)?
go env Output
$ go env GO111MODULE="" GOARCH="amd64" GOBIN="" GOCACHE="/Users/agandhi/Library/Caches/go-build" GOENV="/Users/agandhi/Library/Application Support/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="darwin" GOINSECURE="" GOMODCACHE="/Users/agandhi/go/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="darwin" GOPATH="/Users/agandhi/go" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/Users/agandhi/.gimme/versions/go1.18.darwin.amd64" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/Users/agandhi/.gimme/versions/go1.18.darwin.amd64/pkg/tool/darwin_amd64" GOVCS="" GOVERSION="go1.18" GCCGO="gccgo" GOAMD64="v1" AR="ar" CC="clang" CXX="clang++" CGO_ENABLED="1" GOMOD="/dev/null" GOWORK="" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/8b/jm61yqyn0g126b4p23hrfz7c0000gp/T/go-build4159564691=/tmp/go-build -gno-record-gcc-switches -fno-common"
What did you do?
- Run a Go TLS server with
ClientAuthTypeconfiguration higher thanRequestClientCert. This could be an HTTPS server, gRPC, etc. - Connect to it using
curl,openssl s_client, etc and provide an invalid client certificate.
What did you expect to see?
I’d like to see one of the more meaningful TLS alerts that RFC 5246 (TLSv1.2) or RFC 8446 (TLSv1.3) define. Namely:
certificate_requiredwhen the server is configured withtls.RequireAnyClientCertortls.RequireAndVerifyClientCert, and the client doesn’t provide any client certcertificate_expiredwhen the client provides a client cert but it’s expired (or not yet valid)unknown_cawhen the client provides a client cert but it’s not signed by an authority that the Go TLS server is configured to require.
What did you see instead?
TLS alert bad_certificate is always returned, which is often confusing to end users because it doesn’t surface enough information to quickly find out if/how they can fix their client certificate.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 2
- Comments: 15 (13 by maintainers)
Commits related to this issue
- doc/go1.21: document changes in crypto/tls related to client authentication alerts For #52113 For #58645 — committed to anitgandhi/go by anitgandhi a year ago
- doc/go1.21: document changes in crypto/tls related to client authentication alerts For #52113 For #58645 — committed to anitgandhi/go by anitgandhi a year ago
- doc/go1.21: document changes in crypto/tls related to client authentication alerts For #52113 For #58645 Change-Id: Id7dff2570132588da95fb4216a86faf34fa2cbdc GitHub-Last-Rev: 94eabfe82f189b7a5fb7f1e... — committed to golang/go by anitgandhi a year ago
Sorry for the long wait, left a comment on the CL.
Yup leave it open and I’ll give it a review, and once the tree opens we can submit it.
Hey, sorry for the lag. The main portion of this (returning the more specific alerts) seems reasonable. We’re currently in the 1.19 freeze, so we’ll have to wait for 1.20 to get this in (the tree should re-open in August.)