mutual TLS authentication (sometimes)

[Matthew Zimmerman]

I can authenticate users via certificate with tls.Config and RequireAndVerifyClientCert to my CA, that's working just fine.

What I'd like to do however is to *only* require and verify the cert if they don't have a valid session cookie.  I know that the session is only available after TLS, but the client cert is also not available always.  I only want the cert to be required for an initial authentication and then after certain timeout periods.

Is there any way to tell the client to reconnect but this time present a certificate? I don't think there is, but trying to work through this.  I could run the service on a different port and then have separate tls.Config options (require cert or not), but the fat client I'm dealing with doesn't like the different port -- it only wants 443.

I've also thought about authenticating on a different domain name auth.service then redirecting to data.service or something like that where the cookie would be issued to the *.service domain, however that's still one tls.Config and using SNI with tls.Config.GetCertificate() and I don't know of a way to change the tls.Config.ClientAuth for a server based upon the SNI.

Any ideas?

[burak serdar]

Can you run it in a container, assign two IPs, with different tls
listeners for each IP?

>
> Any ideas?
>
> --
> You received this message because you are subscribed to the Google Groups "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAD53Lr5Cy44eRdmqOx9JaKuZEuNUJChL52%2BNxVy-QhAvSx%2BDjg%40mail.gmail.com.

[Anthony Martin]

Matthew Zimmerman <mzimm...@gmail.com> once said:
> I've also thought about authenticating on a different domain name
> auth.service then redirecting to data.service or something like that where
> the cookie would be issued to the *.service domain, however that's still
> one tls.Config and using SNI with tls.Config.GetCertificate() and I don't
> know of a way to change the tls.Config.ClientAuth for a server based upon
> the SNI.
>
> Any ideas?

% go doc crypto/tls Config.GetConfigForClient
package tls // import "crypto/tls"

type Config struct {
// GetConfigForClient, if not nil, is called after a ClientHello is received
// from a client. It may return a non-nil Config in order to change the Config
// that will be used to handle this connection. If the returned Config is nil,
// the original Config will be used. The Config returned by this callback may
// not be subsequently modified.
//
// If GetConfigForClient is nil, the Config passed to Server() will be used for
// all connections.
//
// Uniquely for the fields in the returned Config, session ticket keys will be
// duplicated from the original Config if not set. Specifically, if
// SetSessionTicketKeys was called on the original config but not on the
// returned config then the ticket keys from the original config will be copied
// into the new config before use. Otherwise, if SessionTicketKey was set in
// the original config but not in the returned config then it will be copied
// into the returned config before use. If neither of those cases applies then
// the key material from the returned config will be used for session tickets.
GetConfigForClient func(*ClientHelloInfo) (*Config, error)

// ... other fields elided ...
}
%

Cheers,
Anthony

[Matthew Zimmerman]

How did I miss that?!  Awesome, thanks!