Client certificate in request missing

[mzo...@gmail.com]

Hello

this is my code:
https://play.golang.org/p/yxhYXEVMPjB


I got certificate in pfx format, I extraced client, CA, private certificate which i imported in my program.
# Extract Public Key (ask for password)
openssl pkcs12 -in file.pfx -out file_public.pem -clcerts -nokeys

# Extract Certificate Authority Key (ask for password)
openssl pkcs12 -in file.pfx -out file_ca.pem -cacerts -nokeys

# Extract Private Key (ask for password)
openssl pkcs12 -in file.pfx -out file_private.pem -nocerts -nodes


I need to send certificate in request to server but the thing is that i get from server that certificate is not included in request. I did trace also with WireShark and there is no certificate appanded in request.


Thank you for all your help!
miha

[Miha Zoubek]

Hello

just for puicture:



Dne petek, 16. februar 2018 17.01.40 UTC+1 je oseba Miha Zoubek napisala:

[Jakob Borg]

Try without using Config.BuildNameToCertificate. That’s a server side thing and I doubt it does what you want on the client side.

//jb

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Miha Zoubek]

Hello

tnx for help.

I tried like:
 

    tlsConfig := &tls.Config{

        Certificates: []tls.Certificate{cert},

        RootCAs: caCertPool,

        InsecureSkipVerify: false,

    }

    //tlsConfig.BuildNameToCertificate()

    transport := &http.Transport{TLSClientConfig: tlsConfig}

    client := &http.Client{Transport: transport}

but it is the same thing. What about GetClientCertificate() config, how to use, should this help?
// GetClientCertificate, if not nil, is called when a server requests a
// certificate from a client. If set, the contents of Certificates will
// be ignored.

V V pon., 19. feb. 2018 ob 09:33 je oseba Jakob Borg <ja...@kastelo.net> napisala:

[Maciej Gałkowski]

Hi, This might be a red herring, but are you sure that your server requires a client cert? 

As far as I can understand the RFC https://tools.ietf.org/html/rfc5246#section-7.4.4, it is the server that sends a certificate request to the client so it can authenticate. 

[Maciej Gałkowski]

Ah, just had a closer look at the screenshot. It seems that the server sends Certificate Request message. The Certificate Request contains a list of all CA RDNs that are accepted by the server, (which can be an empty list, in which case cert signed by CA should be accepted). 

It would be easier to debug the issue if you could post the screenshot of the server hello message from Wireshark. 

My guess is that the certificate that you have set in the client was not signed a CA allowed by the server.

Your TLS config from the go playground looks OK, the one you posted here also. 

I would suggest running openssl s_client with the -debug flag to connect to the TLS server and check if everything is OK on the server side. 

The -debug flag should print all the client/server certificates, and the list of accepted signing CAs for the client certificate if you pass in one. 

The same way you could run openssl s_server and use your go client to connect to it to debug the other side. It should not be necessary though.

I am suprised that the server doesn't terminate the TLS handshake if it doesn't receive an acceptable certificate. That is how my servers are configured anyway (Yes, this is configurable, and hence I suspect that the culprit is the server config). 

[Miha Zoubek]

Hello

i tried this certificates also with Nodejs and there it is working on first try, so certificates should be ok. Only difference is that i did not include rootCA (public part), I just use like skip and trust.
here is a screenshot:



Dne ponedeljek, 19. februar 2018 22.24.50 UTC+1 je oseba Maciej Gałkowski napisala: